On July 2, 2021, the REvil ransomware group attacked software provider Kaseya, creating downstream risk for customers of the company
Last updated July 9, 2021
As many Americans eased into the July 4th holiday weekend, the REvil ransomware group had different plans. At approximately 2 PM ET on July 2nd, Kaseya publicly notified their user base that a potential attack against the Kaseya VSA software was underway impacting a subset of their customers. Kaseya VSA software allows for organizations to remotely manage and monitor endpoints as well as monitoring the network. This functionality allows for easier management of devices across an organization, which is why many Managed Service Providers (MSPs) leverage it as the tool of choice to help manage and monitor their client environments.
Figure 1: Notice on Kaseya’s website on July 2, 2021
While current information suggests that a smaller subset of Kaseya MSP customers were impacted, the “one to many” style attack will result in a larger downstream impact that will include a larger number of organizations who are consumers of MSPs that were impacted.
See our blog post for more updated context around this event.
Remediation of the on-premise Kaseya VSA servers only applies if you manage a VSA server in your environment. This will be most relevant for MSPs and less so to customers of MSPs.
If you are a customer of an MSP, take the following steps:
- Confirm with your MSP whether they use an on-premise Kaseya VSA solution.
- If your MSP uses an on-premise Kaseya VSA server, forward them this link and ensure they have followed the action items listed below.
If you are an IT MSP, take the following step:
- Leverage Kaseya’s readiness checklist and hardening guidelines prior to installing the on-premise Kaseya VSA patch, which is expected to be released July 12, 2021.
This attack highlights the growing need for a strong and robust software development life cycle (SDLC) and managing risk that third party applications can introduce to your environment. Corvus will continue to monitor the situation and be available for organizations who have questions or need assistance in responding to this latest attack.