Kaseya VSA ransomware attack

From Wikipedia, the free encyclopedia

On 2 July 2021, a number of managed service providers (MSPs) and their customers became victims of a ransomware attack perpetrated by the REvil group,[1] causing widespread downtime for over 1,000 companies.[2][3]

Company[]

Kaseya Limited is an American software company headquartered in Miami, Florida, US and was founded in 2001. It develops software for managing networks, systems, and information technology infrastructure. Owned by Insight Partners, Kaseya is headquartered in Miami, Florida with branch locations across the US, Europe, and Asia Pacific.[4] Since its founding in 2000, it has acquired 13 companies, which have in most cases continued to operate as their own brands (under the "a Kaseya company" tagline), including Unitrends.

Timeline and impact[]

The source of the outbreak was identified within hours to be VSA (Virtual System Administrator),[1] a Remote monitoring and management software package developed by Kaseya. An authentication bypass vulnerability in the software allowed attackers to compromise VSA and distribute a malicious payload through hosts managed by the software,[5] amplifying the reach of the attack.[6] In response, the company shut down its VSA cloud and SaaS servers and issued a security advisory to any customers, including those with on-premises deployments of VSA.[7]

Initial reports of companies affected by the incident include Norwegian financial software developer Visma, who manages some systems for Swedish supermarket chain Coop.[8] The supermarket chain had to close down its 800 stores for almost a week, some in small villages without any other food shop. They did not pay ransom, but rebuilt their systems from scratch after waiting for an update from Kaseya.[9]

The REvil ransomware gang officially took credit for the attack and claimed to have encrypted more than one million systems during the incident. They initially asked for a $70 million ransom payment to release a universal decryptor to unlock all affected systems.[10] On July 5, Kaseya said that between 800 and 1,500 downstream businesses were impacted in the attack.[11]

Marcus Hutchins criticized the assessment that the impact of the Kaseya attack was larger than WannaCry, citing difficulties in measuring the exact impact.[12]

After a 9 July 2021 phone call between United States president Joe Biden and Russian president Vladimir Putin, Biden told the press, "I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is." Biden later added that the United States would take the group's servers down if Putin did not.[13][14]

On 13 July 2021, REvil websites and other infrastructure vanished from the internet.[15]

On 23 July, Kaseya announced it had received a universal decryptor tool for the REvil-encrypted files from an unnamed "trusted third party" and was helping victims restore their files.[16]

References[]

  1. ^ Jump up to: a b "Une cyberattaque contre une société américaine menace une multitude d'entreprises". Le Monde (in French). 3 July 2021.
  2. ^ Osborne, Charlie. "The Kaseya ransomware attack: Everything we know so far". ZDNet. Retrieved 2021-07-07.
  3. ^ McMillan, Robert (2021-07-04). "Ransomware Attack Affecting Likely Thousands of Targets Drags On". Wall Street Journal. ISSN 0099-9660. Retrieved 2021-07-07.
  4. ^ Wile, Rob; Wilner, Michael (July 6, 2021). "One of Miami's oldest tech firms is at the center of a global ransomware computer hack". Miami Herald. Retrieved July 11, 2021.
  5. ^ Hammond, John. "Rapid Response: Mass MSP Ransomware Incident". Huntress. Retrieved 2021-07-24.
  6. ^ "Ransomware attack struck between 800 and 1,500 businesses, says company at center of hack—Kaseya's software touches hundreds of thousands of firms, but company says vast majority were unaffected". The Washington Post. July 6, 2021. Retrieved July 6, 2021.
  7. ^ Giles, Martin (3 July 2021), "A New Wave Of Ransomware Has Been Sparked By A Cyberattack On Tech Provider Kaseya", ForbesCS1 maint: date and year (link)
  8. ^ Tidy, Joe (3 July 2021), "Swedish Coop supermarkets shut due to US ransomware cyber-attack", BBC NewsCS1 maint: date and year (link)
  9. ^ More and more Coop stores can be opened – but there is still much to be done
  10. ^ Cimpanu, Catalin (5 July 2021), "REvil gang asks for $70 million to decrypt systems locked in Kaseya attack", The RecordCS1 maint: date and year (link)
  11. ^ Satter, Raphael (5 July 2021), "Up to 1,500 businesses affected by ransomware attack, U.S. firm's CEO says", ReutersCS1 maint: date and year (link)
  12. ^ Hutchins, Marcus. "Twitter". Twitter. Retrieved 2021-07-13. The reason some people think REvil was bigger than WannaCry is because WannaCry was so big that nobody was ever able to quantify it. The best metrics we have is unique IP addresses, but companies have 10s, 100s, or 1000s of machines behind a single IP due to NAT.
  13. ^ "Biden tells Putin Russia must crack down on cybercriminals". AP NEWS. July 9, 2021.
  14. ^ Sanger, David E. (July 13, 2021). "Russia's most aggressive ransomware group disappeared. It's unclear who disabled them". The New York Times.
  15. ^ Business, Brian Fung, Zachary Cohen and Geneva Sands, CNN (July 13, 2021). "Ransomware gang that hit meat supplier mysteriously vanishes from the internet". CNN.
  16. ^ "Ransomware key to unlock customer data from REvil attack". BBC News. BBC. July 23, 2021. Retrieved July 23, 2021.
Retrieved from ""