Kaseya Starts Recovery After REvil Attack

Kaseya is now reporting the software-as-a-service (SaaS) instance of its Virtual System Administrator (VSA) platform will be back online sometime between 4:00 p.m. and 7:00 p.m. EST today. It expects the on-premises editions of VSA to be patched within 24 hours after that.

The company has also committed to providing access to an independent security operations center on a 24/7 basis for every instance of VSA that provides the ability to quarantine and isolate not just files but also entire VSA servers. A complementary content delivery network (CDN) for every web application firewall is also being provided for every VSA instance on an opt-in basis.

Finally, a compromise detection tool is available for download and customers who whitelist IPs will be required to whitelist additional IPs.

Thus far, Kaseya is reporting that fewer than 60 of its customers were impacted. All of those customers were using the on-premises edition of the VSA platform. However, many of those customers are MSPs, so the blast radius for the attack is roughly 1,500 downstream businesses. The attack was launched by cybercriminals affiliated with REvil, a ransomware-as-a-service platform, and the attackers reportedly asked for $70 million to unencrypt the VSA servers impacted by the attack.

It appears the zero-day attack could have been much worse, said Mike Hamilton, chief information security officer (CISO) for Critical Insight, a provider of a managed detection and response platform. The attack offered an example of a smash-and-grab attack, as the malware that made it onto VSA servers didn’t appear to propagate across the entire IT environment, he added.

The most immediate requirement in the wake of the attack is to increase the depth of the security audits being conducted across the IT supply chain, said James Shank, chief architect for community services for Team Cymru, a provider of threat intelligence tools employed to conduct such audits. Unfortunately, Shank said, this is only the beginning. “It will get worse,” he added.

Unfortunately, most organizations, especially small-to-medium businesses (SMBs), don’t have the skills and resources required to conduct those types of audits, said Eldon Sprickerhoff, chief innovation officer for eSentire, a managed detection and response platform provider. “SMBs don’t have those kinds of tools,” he said.

It remains to be seen what long-term impact these breaches are likely to have on security beyond launching security audits of the IT supply chain, said Chris Grove, technology evangelist for Nozomi Networks, a provider of network monitoring security tools. “Those are the typical knee-jerk reactions,” he said.

The hope is that more security initiatives will be properly funded as more C-level executives become aware of the real level of risk their business faces, he added. Today there is a lot of discussion about the need to, for example, embrace zero-trust IT architectures, but not as much conversation about budget allocation, noted Grove. A big part of the problem is zero-trust IT is not something that can be bought off-the-shelf, added Grove. It requires organizations to invest in a combination of skills, tools and automation, he explained.

In the meantime, it’s clear most organizations are all too aware of the fact that they could easily be the next ransomware victim. The challenge and the opportunity now is to minimize that risk as much as possible both today and in the future.

Avatar photo

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 747 posts and counting.See all posts by mike-vizard