It appears that the attackers carried out a supply chain ransomware attack by leveraging a vulnerability in Kaseya’s VSA software against multiple managed service providers (MSP) – and their customers. “To date, we are aware of fewer than 60 Kaseya customers, all of whom were using the VSA on-premises product, who were directly compromised by this attack. While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses. We have not found evidence that any of our SaaS customers were compromised,” Kaseya said in an update on the attack.
See also: What you need to know about the Kaseya supply chain attack
The attackers exploited a previously unknown flaw in Kaseya’s VSA software, which is used by MSPs and their customers. VSA is remote monitoring and management software, which is used to manage endpoints, such as PCs, servers and cash registers, as well as manage patching and security vulnerabilities. On Sunday, the actors asked for $70 million in exchange for a universal decryption tool that would supposedly resolve the REvil issue for Kaseya and its customers. Some victims, such as Swedish supermarket Coop remained closed for business on Monday due to the attack. The company is currently working to replace its affected checkout systems at multiple stores, it said in a statement on Monday. Kaseya noted that it had not received reports of VSA customers that had been compromised since Saturday. It says that no other Kaseya products were compromised. While Kaseya’s software-as-a-service (SaaS) line of VSA was not affected, its servers were taken down during the incident response and remain offline today. Kaseya has developed a patch for customers running VSA on their own servers. A patch should be available with 24 hours after its SaaS servers are brought back online, which it estimates will happen today, July 6, between 2 PM and 5 PM EDT, Kaseya said in an update. SEE: Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chief Kaseya worked with the FBI and CISA on Monday evening to discuss systems and network hardening tasks prior to restoring services for its SaaS and on-premises customers. “A set of requirements will be posted prior to service restart to give our customers time to put these counter measures in place in anticipation of a return to service on July 6th,” it noted. It’s also released a new, free comprise detection tool that customers can use to check networks and computers. The new version searches for indicators of compromise, data encryption, and the REVil ransom note. “We recommend that you re-run this procedure to better determine if the system was compromised by REvil,” Kaseya said. Kaseya is still urging customers to keep VSA servers offline until it’s safe to proceed with restoration efforts.