On the 3rd of July 2021, the IT solutions developer company Kaseya, announced that it had become the victim of a REvil ransomware attack on July 2. The goal of the attack to target multiple MSP and their customers (Managed Service Provider) through a supply chain attack that leveraged a vulnerability in Kaseya’s VSA software.
Due to this attack more than 800 businesses around the world have been affected as the attack was planned to occur on the Friday of American Independence Day weekend when many employees had taken days off to enjoy the holiday weekend. Therefore, the response to the attack was slower than usually.
In response to the attack, Kaseya CEO Fred Voccola urged their clients to immediately shut down their VSA servers as soon as possible to reduce the spread and impact of the attack. One of the main reasons the CEO was so urgent about this is because the threat actors was shutting off administrative access to the VSA. This announcement was released via email, phone, and online notices to Kaseya’s customers.
During the investigation by Kaseya’s Incident Response team, they decided to proactively shut down its SaaS servers and pull its data centers offline in an effort to slow the spread of the attack. This attack was closely monitored by external cyber security companies like Huntress where a senior security researcher John Hammond said that they are aware of four MSPs where all the clients are affected — 3 US and one abroad. MSPs with over thousands of endpoints are being hit.”
The major reason of why the attack was effective was the auto update of Kaseya VSA that consisted of the malicious script which when launched, disabled the windows defender security and then launching the malicious executable to encrypt the files.
The REvil ransomware gang is currently demanding for $70 million in order to restore the encrypted files although there has been no evidence that any of the files have been exfiltrated from the MSPs before the encryption process.