Existing Customers: (817) 277-1001 Sales Inquiries: (817) 270-6420

Running Kaseya VSA? What You Need to Know About the Latest Ransomware Attack

If your company runs Kaseya Virtual System Administrator (VSA), you may be vulnerable to a ransomware attack. In fact, if you’re currently dealing with a ransomware attack, the source may be Kaseya VSA.

In case you missed it (and with so many cyberattacks these days, you very well may have), software company Kaseya Limited was recently targeted by REvil, a Russia-based cybercriminal organization. You may have seen REvil in headlines recently widely believed to be responsible for the recent attack on JBS Foods in June.

REvil, which took responsibility for the Kaseya attack, was able to introduce ransomware to users of Kaseya VSA through an authentication bypass vulnerability that allowed REvil to access Kaseya’s VSA servers. Once the authenticated session was initiated, REvil uploaded an automated and deceptive software update, known as Kaseya VSA Agent Hot-fix, that the compromised VSA servers automatically executed, propagating the ransomware across client systems. This approach was reminiscent of the 2020 SolarWinds attack, during which Russia pushed malware through a software update that compromised the networks of thousands of customers.

Beginning Friday, July 2nd, SMPs and MSPs across the globe found their systems compromised, alongside ransom demands. Kaseya VSA counts among its users small and midsize businesses (SMBs) who purchase their services directly and managed service providers (MSPs) who use Kaseya VSA as part of the managed IT services offer SMBs.  While Kaseya estimates less than 1 percent of its clients were affected, given that that estimate includes MSPs, up to 1,500 SMBs may have been compromised. According to the company, the attack’s effects have been most heavily felt by those who have on-premise data centers, which also temporarily shut down its cloud-based services as a precaution.

Fallout from the Kaseya Attack

While cyberattacks originating from overseas attacks are challenging for businesses and local law enforcement to address, the U.S. government has recently stepped up its efforts to respond. The Colonial Pipeline and JBS Food attacks have drawn attention from lawmakers who are considering mandating that critical infrastructure business, federal contractors, and government contractors take stronger cybersecurity measures and disclose breaches far quicker than they do now. In the wake of those attacks and this incident, President Biden has also called upon Russian President Vladimir Putin to take more aggressive measures to curtail cybercrime and halt any state-sanctioned cyberespionage efforts underway.

As of July 13th, the websites REvil had been using to coordinate ransom payments were recently taken offline. Some media pundits and cybersecurity analysts have speculated that this development may result from a U.S.-initiated cyberattack on REvil’s IT assets, though there is no official confirmation of that theory. REvil could also simply have decided to lower its profile, given the widespread attention now being paid to its organization.

What SMBs Running Kaseya VSA Need to Do Today

Regardless, companies that have used Kaseya that have not suffered a ransomware attack in the past two weeks should comb their network for any suspicious activity. If you use an MSP that provides cloud-based IT management and security services through Kaseya, you should have been notified about the Kaseya attack even if your services were not affected.

If you were one of the affected firms, you’re likely in the midst of restoring, or hopefully have restored, your operations from backups. The recent REvil website outage has made ransom negotiations more complicated, and, in most cases, it’s a better choice, in the long run, to restore your system from backups rather than pay a ransom.

Despite REvil’s promise of a universal decryptor key in exchange for ransom payments, there’s no guarantee that if you pay the ransom, you’ll be able to regain control of your system. In the Colonial Pipeline case, the decryption key provided by the hacking group DarkSide was so slow as to force the company to restore their system from backups anyway. Further, it’s incredibly challenging and time-consuming to rid your servers of some types of malware. Some companies who’ve tried to clean compromised servers have inadvertently left themselves open to a second attack.

If you’ve remained operational but are unsure what platforms and technologies your MSP uses to provide your services, give them a call. Ask if they use Kaseya and, if so, if they were affected by the recent ransomware attack. Even if they were not, ask for a complete rundown of the measures they have in place to defend against such an attack.

If your MSP does not use Kaseya, it’s still not a bad idea to reach out to them, especially if it’s been some time since you’ve discussed cybersecurity. Reaffirm what platforms and technologies they use to provide you with the services you use, as well as the cybersecurity measures they and their technology providers have in place. After all, there’s no stopping cybercriminals from targeting other software providers. Unfortunately, the platform or MSP you use could be next in their crosshairs.

You should be able to obtain this information in writing from your MSP quickly. If you can’t, well, that’s a serious red flag. Your MSP should be on top of its own cyber defenses, as well as cybersecurity developments. If they used Kaseya and didn’t inform you of the attack, you should switch MSPs. And if they’re struggling to provide you with detailed technical information on the cybersecurity measures they have in place, you also should consider switching providers. While MSPs promote the security their clients enjoy, not every MSP is as prepared as it should be. And you can’t afford for your MSP to be unprepared. Today, every company is a target, and if your MSP is attacked and unprepared, the damage could cost you your business.

If your MSP uses Kaseya and this is the first you’re hearing of the recent ransomware attack, we invite you to contact us at CorpTek Solutions LLC today. Or, if your MSP’s answers to basic cybersecurity questions are filling you with doubts, we’re here to help. For more than 15 years, we’ve worked with small and midsize businesses throughout Dallas and Fort Worth. Our expert team of cybersecurity professionals can help you design the right plan and identify the appropriate IT solutions to protect your business. We stay on top of new security solutions and emerging threats to safeguard your operations. And we make sure that you hear about threats from us first, rather than the news. Take the first step to securing your business by contacting us today.