Editor’s note: This story has been updated to reflect new details.
On-premises installations of the remote IT management and monitoring application VSA were targeted throughout Friday by a ransomware group that hit multiple managed service providers. Vendor Kaseya recommends customers "IMMEDIATELY shutdown" VSA servers until further notice.
The CEO later announce that a vulnerability used in the attacks has been identified and a patch is forthcoming.
"We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us," the company wrote on its webpage Friday afternoon. "It's critical that you do this immediately because one of the first things the attacker does is shut off administrative access to the VSA," said Keyasa, who declined to provide further comment at this time.
Read more: Kaseya VSA criminals may have ‘weaponized’ links in ransom negotiations
The Huntress Labs official account has been live-blogging its experience with the attacks on a Reddit thread. By around 3:15 pm, Huntress said in their posts it was aware of 200 businesses being encrypted over eight MSPs.
Huntress says they have seen a ransom demand of $5 million in one case, though the company cautions that may not be consistent across victims. Huntress and Sophos have both reported that the hackers are a REvil affiliate group.
"It has been an all-hands-on-deck evolution to respond and make the community aware," Huntress researcher John Hammond said in an emailed statement to SC Media.
Hammond said Huntress was first made aware of the ransomware at 12:35 PM and has been working with Keyasa, which Hammond says has been responsive.
In a Friday night letter to the media, Kaseya CEO Fred Voccola said that the company was made aware of the attacks "midday" — roughly the same time as Huntress — and that the hackers found a vulnerability in only the on-premises product. However, Kaseya shut down the cloud version of VSA as a precautionary measure. Voccola said the SaaS product would be restored within 24 hours after further testing to make sure they can restore service safely.
"We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for our on-premises customers that will be tested thoroughly. We will release that patch as quickly as possible to get our customers back up and running," he said.
Voccola said that "fewer than 40" customers were affected, though the customers, in this case, are the MSPs, each of whom has many customers of its own. Huntress said several MSPs it worked with had all customers' data encrypted.
But later in the evening, Huntress cast doubt on the fewer than 40 figure.
"We can only comment on what we've observed, which has been around 20 MSPs who support over 1,000 small businesses, but that number is expanding quickly,” said Hammond.
Huntress only has visibility on its own clients, suggesting other security firms may be seeing similar numbers and rates of expansion.
Kaseya is coordinating with the FBI and CISA, and engaged internal and external incident response experts.
Hammond described the path of the attack as such: "gent.crt is dropped by the Kaseya VSA. It is then decoded with certutil to carve out agent.exe, and inside agent.exe it has embedded MsMpEng.exe
and mpsvc.dll
. The legitimate Windows Defender executable was used to side-load a malicious DLL."
"It is the same exact binary for all victims," he added.
Sophos has posted indicators of compromise on its blog.