The attack is reportedly delivered through a Kaseya VSA auto-update that maliciously pushes the Revil ransomware onto victims’ machines. It’s critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA.” “We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us. Number of on-premise customers only as of 2:00 PM EDT today,” Kaseya wrote on Friday afternoon. “We are experiencing a potential attack against the VSA that has been limited to a small July 2, Shutdown Kaseya VSA immediatelyĪ severe ransomware attack reportedly taking place now against the popular Remote Monitoring and Management software tool Kaseya VSA has forced Kaseya into offering urgent advice: Shutdown VSA servers immediately.July 3, Two MSPs named, hundreds of Coop stores closed.July 4, 5:00 am, “ Thousands affected“, zero-day blamed.July 4, 4:00 pm, Malwarebytes telemetry shows surge in REvil detections.July 4, 8:50 pm, REvil asks for $70 million.July 5, 4:30 am, Kaseya releases compromise detection tool.July 5, 5:00 am, Kaseya flaw part of larger structural weakness in admin tools.July 6, 2:45 am, Ransom demand drops to $50 million, REvil branded “terrorists”.July 6, 3:15 am, Malwarebytes telemetry reveals global scale of the attack.
KASEYA AGENT INSTALL UPDATE
July 6, 3:40 pm, malspam using fake Kaseya security update.July 7, 8:30 am, Kaseya VSA SaaS platform still offline, not updated as planned.Malwarebytes detects the REvil ransomware used in this attack as Sodinokibi. Malwarebytes does not use Kaseya products.