REvil Kaseya Attack

All the details

This blog post will cover the reasons why IT admins should be wary of the REvil Kaseya attack. Kaseya is a company that provides IT management software for small to large businesses. The company started in 2000 and is based in San Mateo, California. Kaseya offers IT management software for IT managers, ISP’s, and SMBs. Their flagship product is Kaseya VSA. It is a complete IT management solution that includes live monitoring and remote control. Via VSA, MSPs can perform patch management at customers among other things. The VSA client software is installed on these customers’ systems, that is managed via a VSA server.


The Kaseya ransomware attack took place on Friday, July 2. Businesses worldwide are hit with the REvil Kaseya attack. The attackers claim to have encrypted more than a million computers and demand $70 million for a generic decryption tool that will allow all victims to decrypt their files. The exact attack vector was unknown at first, but everything quickly pointed to the VSA program from software company Kaseya. Managed service providers use this software to remotely manage their customers’ systems.


Scale, Details Of Massive Kaseya Ransomware Attack


EmergeHuntress Labs’ John Hammond told BleepingComputer that all of the affected MSPs use Kaseya VSA and have proof that their customers are encrypted as well.

The full impact won’t be felt until Tuesday when people are back at work, experts say. “Not everyone have seen the alerts or had the urgency to check their own network/systems,” said Bryce Webster-Jacobsen, the head of intelligence at cybersecurity company GroupSense.

Kaseya made a tool that detects invaded systems such as computers, managed by this server. This tool only searches for traces of infection that Huntress Labs has shared that are specific to this ransomware attack. The advice remains to keep VSA servers offline until more information is available from Kaseya. In addition to using Kaseya’s detection tool, the NCSC recommends taking a broader view of log files and performing additional monitoring and analysis. The ‘Guide for the implementation of detection solutions’ contains more points for attention for monitoring. The attackers behind the ransomware attack via Kaseya’s software do not have access to the company’s source code, for example the update servers used to locate their ransomware. There is no such thing as a supply chain attack. This is what Kaseya states based on research.

Kaseya rolled out security updates. 95% of Kaseya’s SaaS customers are now online again.

Protect your company. Please look at these security services to secure your business, before criminals find your company’s weaknesses