Ransomware Attack Localized to Small Number of On-Premises Customers: Kaseya

By Isabel van Brugen
Isabel van Brugen
Isabel van Brugen
Reporter
Isabel van Brugen is an award-winning journalist and currently a news reporter at The Epoch Times. She holds a master's in newspaper journalism from City, University of London.
July 6, 2021 Updated: July 6, 2021

Florida-based software management firm Kaseya confirmed on July 5 that it had been targeted by a ransomware attack but said the impacts were likely localized to a very small number of on-premises customers only.

In an update late Monday, Kaseya said that its VSA software has “unfortunately been the victim of a sophisticated cyberattack.”

“Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only,” the company said in statement on its website.

Kaseya is a company that provides software tools to IT outsourcing shops: companies that typically handle back-office work for companies too small or modestly resourced to have their own tech departments.

Kaseya first alerted its customers at 2 p.m. EDT on Friday about a “potential attack” against its VSA software. They sent an urgent alert to customers, telling them to immediately take action to protect themselves from the attack.

“We are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers,” the initial alert said.

In its latest briefing, Kaseya said that it is currently aware of fewer than 60 customers, all of whom were using the VSA on-premises product, who were directly compromised by last week’s ransomware attack.

“While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses,” the firm said. “We have not found evidence that any of our SaaS customers were compromised.”

VSA is the only Kaseya product affected by the attack, it said, adding that it expects to bring its SaaS servers back online on July 6 between 2 p.m. to 5 p.m. EDT.

Kaseya has 40,000 customers for its products. Not all use the affected tool.

The company advised that all on-premises VSA servers would continue to remain offline until it releases further instructions about when it is safe to restore operations.

It noted that management had since met with the FBI and U.S. Cybersecurity and Infrastructure Security Agency (CISA) to discuss systems and network hardening requirements prior to service restoration for both SaaS and on-premises customers.

Kaseya also said that its outside experts advised its customers who experienced ransomware and received communication from the attackers to not click on any links, as they may be weaponized.

President Joe Biden, when asked by reporters on Saturday if Russia was behind the cyberattack, said that he’s “not sure.”

“[T]he initial thinking was it was not the Russian government,” he said.

The president added that he has directed U.S. intelligence agencies to probe who was behind the hack, adding that the United States will respond accordingly if actors of the Russian government are involved.

Security firm Huntress Labs said on Friday it believed the major Russian-speaking ransomware gang, REvil, was behind the attack.

Also known as Sodinokibi, REvil was behind the ransomware attack that disrupted operations at JBS Foods on May 30, according to the FBI.

The prolific ransomware group earlier this year was also behind an attack on an Apple Inc. supplier named Quanta Computer. It has previously marketed stolen data on cybercrime forums in Russian.

Reuters contributed to this report.

Isabel van Brugen
Isabel van Brugen
Reporter
Isabel van Brugen is an award-winning journalist and currently a news reporter at The Epoch Times. She holds a master's in newspaper journalism from City, University of London.