Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours datacenterknowledge.com - get the latest breaking news, showbiz & celebrity photos, sport news & rumours, viral videos and top stories from datacenterknowledge.com Daily Mail and Mail on Sunday newspapers.
Kaseya apologises for extended downtime after ransom attack
CEO of Kaseya apologises after pushing back the restoration of the firm’s VSA service following a REvil ransomware attack
Share this item with your network: By Published: 08 Jul 2021 12:20
Kaseya CEO Kevin Voccola has apologised to the firm’s thousands of users currently unable to service their own customer bases while both hosted and on-premise instances of its VSA endpoint and network management service remain offline following a devastating ransomware attack by the REvil/Sodinokibi syndicate.
The firm had hoped to bring its software-as-a-service (SaaS) datacentres back online over 24 hours ago, but technical issues forced this timeline to be reset, and on-premise versions of VSA cannot be restarted until the SaaS version is up and running. In the meantime, Kaseya has published a runbook for on-premise customers to help them prepare to restart.
Researchers warned Kaseya April 6 about one of the vulnerabilities that REvil ended up exploiting nearly three months later in a crippling ransomware attack.
The Dutch Institute for Vulnerability Disclosure (DIVD) said that researcher Wietse Boonstrain in April discovered seven vulnerabilities in Kaseya’s VSA remote monitoring and management product and notified the New York- and Miami-based IT service management vendor about the flaws less than a week later. Eighty-seven days later, REvil took advantage of a flaw flagged by DIVDthat still wasn’t resolved.
“Last weekend, we found ourselves in the middle of a storm,” DIVDresearcher Frank Breedijk wrote Wednesday. “A storm created by the ransomware attacks executed via Kaseya VSA using a vulnerability which we confidentially disclosed to Kaseya. … Unfortunately, the worst-case scenario came true.”
Mark Wilson/Getty Images
7 Jul 2021
The hackers behind the recent ransomware attack of the IT firm Kaseya have offered a universal decryptor software key that could unlock all affected machines for $70 million.
Breitbart News recently reported that between 800 and 1,500 businesses worldwide have been affected by a recent ransomware attack that focused on the U.S. tech firm Kaseya, according to the company’s CEO Fred Voccola.
One of Kaseya’s tools was recently subverted allowing hackers to shut down hundreds of businesses worldwide. Most of these businesses were small or mid-sized including dentist practices and accounting firms but in Sweden, hundreds of supermarkets were forced to close as their cash registers became inoperative. In New Zealand, many schools and kindergartens were taken offline.
At 4:30 p.m. UTC, all within the same second, the compromised servers woke up and ran a command script that disabled a variety of security controls and sent malicious payloads to every system managed by those servers, according to an analysis conducted by Huntress Labs. While security firms are still sifting through the data, reverse engineering has revealed that the attack from the first packets exploiting dozens of VSA servers, to the deployment of ransomware on the endpoints of hundreds to thousands of MSP customers took less than two hours.
The speed of automation gave managed service providers and their customers only a very narrow window in which to detect attacks and block them, says John Hammond, a senior threat researcher for Huntress Labs. Companies would have to run frequent monitoring and alerts to have caught the changes, he says.