Kaseya: "No evidence" of supply chain attack, SaaS services may come back today

On-prem service restoration could follow within 24 hours

Kaseya, which was hit with a ransomware attack last week that has infected thousands of firms, says it is testing a new patch for its on-premise software and hopes to be able to restore SaaS services later today.

In an update to its rolling advisory, Kaseya has changed the estimate of affected customers from 'fewer than 40' to 'fewer than 60' - although as the majority are IT service providers, there are many more downstream companies suffering from the attack: as many as 1,500. However, it also added some good news: it is considering restarting its SaaS services between 19:00 and 22:00 BST tonight.

The company has been working with the FBI and the USA's Cybersecurity and Infrastructure Security Agency (CISA) 'to discuss systems and network hardening requirements prior to service restoration for both SaaS and on-premises customers.'

It added, 'A set of requirements will be posted prior to service restart to give our customers time to put these counter measures in place in anticipation of a return to service on July 6th.'

Kaseya is also testing a patch for on-prem customers, which it expects to be available within 24 hours after restoring its SaaS servers.

Hackers from the REvil group compromised Kaseya's remote monitoring and management tool, VSA , on Friday, encrypting thousands of businesses' IT systems remotely. The gang has officially claimed responsibility and is offering a universal decryptor to victims - for the bargain price of $70 million.

'On Friday (02.07.2021) we launched an attack on MSP providers,' REvil has said in a post.

'More than a million systems were infected. If anyone wants to negotiate about universal decryptor - our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour. If you are interested in such deal - contact us using victims 'readme' file instructions.'

Kaseya had told customers that use VSA to immediately shut their servers down, so the news that a patch is coming will be welcome - despite the delay compared to SaaS.

In slightly uplifting news, Kaseya's initial analysis of the attack shows 'no evidence' that REvil had compromised the VSA codebase. Instead, the group exploited zero-day vulnerabilities in VSA to bypass authentication and run arbitrary command execution. 'This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints', says Kaseya.

The REvil gang (also known as Sodinokibi) began operations in April 2019, after the GrandCrab ransomware group shut its doors.

REvil has been extremely active in the last year. In 2020 it began offering stolen data for sale on an auction site; and just last month was able to extort $11 million from meat-packing giant JBS.

The Kaseya attack is the single biggest global ransomware attack on record, say security experts.

The full impact is not yet clear, but federal agencies and researchers believe that it has affected more than a thousand firms worldwide.

Kaspersky alone had observed more than 5,000 attack attempts in 22 countries by Monday; the attack occurred on Friday.

"The two biggest [affected] regions we've seen are USA and Germany," said Ross McKerchar, CISO at Sophos Group.

Kaseya has hired cybersecurity firm FireEye to help deal with the fallout of the attack.