On July 2, 2021, the Miami-based Managed Service Provider (MSP) Kaseya announced they were experiencing an attack against their Virtual System Administrator (VSA) and that some on-premises clients had been affected. The attack culminated with the distribution of malware to certain Kaseya clients from the known ransomware-as-a-service (RaaS) group REvil, who demanded $70 million in cryptocurrency before they will distribute a decryption key to restore business data, although updates from Kaseya stated that this price has already been lowered to $50 million.

Kaseya has approximately 40,000 organizations using their VSAs, though not all organizations were directly affected by the attack. However, by targeting Kaseya’s VSA, which is the software used to manage and distribute updates to computer networks, the attackers have initiated a supply chain attack that potentially touches 800,000 or more mid to small businesses. The implications of this attack may take weeks to fully discover and secure.

Although only 50 direct customers were initially identified, the numbers have inevitably grown. Since many businesses have been closed for the holiday weekend, an accurate assessment of the damages caused by this attack is yet to be seen. Kaseya has released a statement urging those companies who believe they have been compromised by the attack to report this information to the FBI Internet Crime Complaint Center.

Early reports indicated that the initial intrusion vector was a zero-day vulnerability found in the Kaseya VSA. Kaseya has taken their on-premise and software as a service (SaaS) servers offline until a patch has been released. As of July 3, eight organizations were confirmed to have been infected. The names of the affected Kaseya-affiliated organizations have not been publicly disclosed to date.

As of July 5, Kaseya has stated that they believe approximately 200 to 1,500 businesses were likely compromised by the ransomware attack. A set of requirements will be distributed to Kaseya customers so that they may put counter measures into effect as a return to service has been initiated on Tuesday, July 6.

Fortress released an initial threat advisory on July 3 for our customers and email subscribers which can be downloaded here. Through Fortress’ Asset to Vendor Network (A2V), members will have access to any supplier’s third party “as service providers” to help critical infrastructure owners mitigate their risk of managed services to their operations.