A ransomware attack on international IT firm Kaseya appears to have infected hundreds of smaller sized businesses that rely on the company’s product, including many based in the U.S.
On Friday, Kaseya disclosed that it had been the victim of a “potential attack,” implying that hackers were somehow targeting users of its VSA on-premises product. Customers should shut down VSA “IMMEDIATELY,” an alert reads.
While the company has claimed that the attack is “limited to a small number” of customers, Kaseya’s position in a wider IT ecosystem means the effects of this attack could be quite large—potentially making it one of the largest ransomware attacks in history.
Kaseya sells its products to firms known as managed service providers (MSPs)—companies that provide remote IT services to hundreds of smaller-sized businesses that don’t have the resources to conduct those processes in-house. MSPs use Kaseya’s VSA cloud platform to help manage and send software updates to their clients, as well as to manage other user issues.
However, it would appear that a ransomware gang is abusing VSA by “using a malicious update” to deploy ransomware to “companies across the world,” the Record reports. While it’s unclear the exact mechanics of the attack or how and when it occurred, security experts are reporting that the ransomware is affecting not just the MSPs that use VSA, but their clients too. In other words, the ransomware seems to have infected hundreds of smaller-sized businesses that rely on the MSPs for IT support.
Security firm Huntress told Gizmodo that three of its clients, who are MSPs and use VSA, had been affected by the attack and that, as a result, as many as 200 smaller businesses that rely on those MSPs had been hit with encryption.
“We are aware of four MSPs where all of the clients are affected — 3 US and one abroad. MSPs with over thousands of endpoints are being hit,” said John Hammond, a senior security researcher at Huntress. “When an MSP is compromised, we’ve seen proof that it has spread through the VSA into all the MSP’s customers.”
Hammond added that, “Based on everything we are seeing right now, we strongly believe this [is] REvil/Sodinikibi.”
REvil is a prominent cybercriminal gang that has used ransomware to go after high-profile targets, including Apple and Acer. It is also believed to be the gang that attacked meat supplier JBS, successfully extorting the large beef provider for $11 million.
America’s federal cybersecurity watchdog, the Cybersecurity and Infrastructure Security Agency, announced Friday that it was “taking action to understand and address the recent supply-chain ransomware attack against Kaseya VSA and the multiple managed service providers (MSPs) that employ VSA software.”
“CISA encourages organizations to review the Kaseya advisory and immediately follow their guidance to shutdown VSA servers,” the agency said.