Kaseya ransomware incident.
On Friday Kaseya sustained a ransomware attack on its widely used VSA product. Huntress Labs warned that ransomware had been deployed through VSA on-premises servers beginning around 11:00 AM EDT. It was a direct attack in which the attackers exploited a zero-day vulnerability (CVE-2021-30116) that had been responsibly disclosed by the Dutch Institute for Vulnerability Disclosure (DIVD) and that Kaseya was in the process of fixing.
The effects of the attack have been worldwide, roughly tracking the MSP market penetration of VSA, with the US and Germany showing the highest rates of infestation. Between forty and sixty Kaseya customers are believed to have been directly affected, but since these tended to be MSPs, the ransomware in turn flowed to those customers' customers, whom it's affected indiscriminately. The Record this morning put the tally of affected organizations at more than fifteen hundred. Reuters speculates that individual organizations' recovery could take weeks.
Early indications are that the ransomware was REvil, and subsequent ransom demands have seen the REvil gang claim credit. The gang is demanding $70 million in Bitcoin, for which it promises to release decryptors to all the victims, which suggests that they're looking for a collective payment.
Kaseya itself has been issuing regular situation updates since it disclosed the incident at 4:00 PM EDT Friday. The company yesterday posted the following summary advice on mitigation:
"All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations. A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture.
"We have been advised by our outside experts, that customers who experienced ransomware and receive communication from the attackers should not click on any links – they may be weaponized."
The US Cybersecurity and Infrastructure Security Agency (CISA) urges VSA users to immediately shut down their servers and to follow the mitigation advice Kaseya has issued. The FBI has seconded CISA, and solicited information from victims of the attack.
The CyberWire has a more extensive summary, with comment from industry.