24/7 Emergency Phone: (780) 669-2592

Kaseya Ransomware Incident

What is Kaseya VSA?

Kaseya is a firm that provides IT solutions for IT companies and managed service providers (MSPs). VSA stands for Virtual Server Agent, it allows help desk agents provide support, and logging to many computers around the world, all at once.

What happened?

On July 2, customers started to be notified via email, phone, and online notices of a Kaseya VSA breach, followed by a proactive shutdown of its remote servers. Their entire support network was shut down at that time, both in their Cloud, and if hosted locally by the MSP, thereby, taking its data centers completely offline. -- This is ’bad’ because essentially, MSP’s lost 100% access to all of their clients, and the ability to help them at this time.

On July 4, Kaseya upgraded the severity of the incident, calling itself the "victim of a sophisticated cyberattack." and involved the highest levels of USA government as well as the FBI.

Security, support, R&D, communications, and customer teams have since been working around the clock to resolve the issue and restore service to Kaseya customers. The issue is still on-going at this date (July 10 2021) however a ’patch’ is said to be launched this Sunday, but the majority of the damage has already been done to the clients. This patch is not relevant to repair the encrypted servers, or to regain client data.

The issue is not yet resolved, but once operational again Kaseya will publish a schedule for distributing security patches. 

Who has been impacted?

According to itnews.com, 800 Coop supermarket chain stores in Sweden had to temporarily close as they were unable to open their cash registers.

Reddit - This is the best source for all information on this entire topic, including all timelines and updates as the issue occurred and happened, and is still on-going at this time. 

Huntress estimated 1000+ companies have had servers and workstations encrypted and suggested "thousands of small businesses" may have been impacted.

"This is one of the farthest-reaching criminal ransomware attacks that Sophos has ever seen. At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company." - Ross McKerchar, Sophos VP.

What is ransomware?

Ransomware is a type of malware from cryptovirology that threatens to publish the victim’s personal data or perpetually block access to it unless a ransom is paid.

While some simple ransomware may lock the system so that it is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Starting from around 2012, the use of ransomware scams has grown internationally. There were 181.5 million ransomware attacks in the first six months of 2018.

Common and well-known ransomware families include REvil, Locky, WannaCry, Gandcrab, Cerber, NotPetya, Maze, and Darkside. 

How do I protect myself from the Kaseya ransomware incident?

If you’re asking yourself (or Google) this question – therein lies the first problem, you are at risk. Your first and last line of defense should be that of an experienced cybersecurity team with a strong track record of providing discrete and confidential cyber security services to a range of commercial enterprises throughout Canada – assisting to ensure your business IT environments are safeguarded. long story, made short. Catalyst has specialized, advanced technology that we do not advertise online, to help assist our clients withstand attacks like these. This includes zero-day style attacks like this recent Kaseya hack.

What is a Zero-Day Exploit? 

A Zero-Day exploit is any previously unknown vulnerability that exists in code, that is installed across a broad spectrum of commonly used technology. This vulnerability, allows a remote threat actor with advanced knowledge of this flaw to create complicated problems well before anyone realizes something is wrong. In fact, a zero-day exploit leaves NO opportunity for detection, and can allow a remote threat actor remote access to global systems, halt entire supply chains or production lines, and system, or in the case of this Kaseya hack we are talking about here; completely cease all operations and hold entire companies for millions of dollars in ransom to obtain their data again, especially quickly.

The Kaseya ransomware incident has encrypted my files. What should I do?

Catalyst has been successful in decrypting over 67% of ransomware events for businesses in Canada and the US. We encourage you to contact us immediately for help. While a flaw in the current REvil hack which was used in the Kaseya breach has NOT been found yet. If we find one, we will be sure to post here on how to decrypt your data. For now, it is best to lean on backups, and start to restore everything possible, and DISABLE your Kaseya VSA until further notice from the community reddit page.

Will my cybersecurity insurance coverage cover financial losses resulting from the Kaseya ransomware incident?

Some first-party coverages you are likely to find in a cyber liability policy include data restoration, loss of income and extra expenses, cyber extortion, notification costs, and crisis management. The Kaseya ransomware incident would likely fall within such cyber liability policies.

However, one of the biggest mistakes a company can make after falling victim to a ransomware attack is not filing the insurance claim properly, if this is not done correctly, YOU CAN BE DENIED A CLAIM.

Catalyst has extensive experience in helping companies navigate their insurance claims, particularly concerning ransomware attacks. We encourage you to contact us immediately for help. Even if you do not choose us to handle your IT, we can help to assist with the insurance claim filing to ensure processes are done correctly, as your current IT firm may be too busy with operational tasks at this time, to worry about a perfectly correct statement of claim for your insurance firm.

A brief explanation of the Kaseya attack

As defined by the FBI, this is a "supply chain ransomware attack" that has targeted the people who provide support to businesses rather than the businesses themselves. This is a first, but will not be the last, and will likely go down as being the largest, and most profitable hack in modern history.

At the time of writing, 30 MSPs are known to be involved in the breach and the attack was likely triggered via an authentication bypass vulnerability in the Kaseya VSA web interface.

This vulnerability allowed attackers to circumvent authentication controls, gain an authenticated session, upload malicious code, and execute commands via SQL injection. At this point, the remote threat actor was essentially able to commandeer complete and total access to all MSP controlled clients hardware, resulting in what may become known as the largest ransomware attack in history.

Check out this in-depth technical analysis of the attack.

What does the Kaseya ransomware attack mean for Catalyst IT Solutions’ clients?

Catalyst has protected its clients from this Kaseya ransomware attack – what may become known as the largest ransomware attack in history. However, this incident is a game-changer, with ripples that will impact and create long-lasting and renewed discussions need to be had about the future of IT support for every business. Please see this page for more details on how we protected from this attack, and for more details on how we plan to protect from future attacks on MSP targets like Kaseya, SolarWinds, ConnectWise, or any other commonly used MSP platforms.