Updated July 2, 2021 3:30 PST
Kaseya, a remote management solution typically used by multiple managed service providers (MSP) in the United States to help manage their clients' systems, was the victim of a ransomware attack executed on July 1, 2021. The threat actors that compromised Kaseya are now using the Kaseya software to access customer networks and deploy ransomware.
If your organization uses Kaseya Virtual System Administrator (VSA) server, firewall it off from the internet and restrict access immediately. You can do this by configuring your firewall or internal network to isolate the server from the rest of the network or shutting down the VSA server.
You will want to make sure your backups/backup server is isolated from the rest of your network, including the network where your Kaseya server is located. Threat actors have already been observed targeting and deleting backups, such as Veeam, Sophos, and other backup technologies.
Kaseya has put out a statement:
We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shut down your VSA server until you receive further notice from us. It's critical that you do this immediately, because one of the first things the attacker does is shut off administrative access to the VSA.
The Coalition Incident Response team (CIR) is ready and prepared to help you during this event and answer any questions you may have. Even if you have not been affected by the ransomware, Coalition can help with preventative measures; please reach out – we’re here to help.
All policyholders with an issue, please call 24x7 toll-free at +1 833 866 1337 or email [email protected] . The sooner, the better.
At this time, Coalition is unable to assess who may be affected; however, there are steps you can take to evaluate the risk to your organization. For example, if you start to notice abnormal behavior across your servers or workstations, including, but not limited to, changes in file names and desktop background images, you might have already been affected.
Reach out to your MSP if you are unsure if they use Kaseya and feel free to include Coalition in this communication. If you are a system administrator the following technical information can be of use to identify the vulnerable software: