Update on REvil's exploitation of Kaseya's VSA.
Kaseya CTO Dan Timpson posted a video late yesterday afternoon in which he provided a high-level overview of the steps the company was taking to fix the problems with its VSA software, whose modular design he credited with helping limit the scope of the attacks by REvil. Timpson made a point of listing the organizations Kaseya was working with as it responded to the ransomware attack: Mandiant, ("including its affiliate FireEye), the FBI, CISA, and DIVD, as well as with partners, customers, and researchers. Kaseya has fixed the vulnerabilities in both on-premises and cloud versions of VSA, he said, documented the updates and had them "peer-reviewed" by the partners the company has engaged.
A post on Kaseya's site indicates that patches for VSA's on-premises version are still scheduled for release this coming Sunday July 11th, at 4:00 PM EDT. That's also when Kaseya intends to begin deploying the fixes to its VSA SaaS Infrastructure.
How successful has REvil actually been, this time?
The Wall Street Journal reports that ransomware infestations connected with the exploitation of Kaseya had, by yesterday, been found in six European countries. The Record reports that Kaseya's president and general manager for EMEA, Ronan Kirby, addressing a meeting convened by Belgium's CERT, those six countries were the UK, the Netherlands, Germany, Sweden, Norway, and Italy. Eight of the sixty direct customers affected by the campaign are in Europe. Kaseya still thinks there are between eight-hundred and fifteen-hundred total downstream victims, that is, customers of the MSPs who use Kaseya's VSA.
But BleepingComputer has found only two victims who've paid any ransom, and concludes that the responsible REvil affiliate is unlikely to get the big payday they're hoping for. REvil went after the software itself, the better to cast a broad net, and so passed up the now customary step of wiping or encrypting backups. "[A]n MSP and multiple victims encrypted during the attack told BleepingComputer that none of their backups were affected, and they chose to restore rather than paying a ransom." So the victims may have simply opted to restore from backups and bite the bullet on any doxing that may develop later.
A US response to the ransomware campaign remains under consideration.
SecurityWeek writes that the US Administration faces pressure to do something about REvil's campaign. The Administration has been circumspect about its plans and options, and the Defense Department has declined to discuss specific US Cyber Command capabilities, plans or operations, beyond expressing its conviction that any response should embody a "whole-of-government" approach.
More coverage of this incident may be found on the CyberWire's site.