Active Supply-Chain Ransomware Attack Against Kaseya VSA

Publish Date

Type

Cyber Alert

Topics
  • Cybersecurity

Kaseya has warned of an active attack against a number of its customers using Kaseya’s VSA remote monitoring and management (RMM) platform. The attackers are using the platform to deliver REvil ransomware to systems, demanding $44,999 in funds to reclaim access to data.

Kaseya has placed all SaaS instances of VSA server in “maintenance mode” and recommends that firms and MSPs immediately disable any on-premises VSA servers “because one of the first things the attacker does is shutoff administrative access to the VSA.” The REvil ransomware appears to be delivered to systems in the form of a Kaseya update using the platform’s administrative access to managed endpoints. 

ACA guidance

ACA Aponix® recommends taking the following actions regarding the attacks against Kaseya: 

  • Immediately follow the recommendations provided by Kaseya in its alert.
  • Firms and their MSPs should immediately shut down any on-premises VSA servers. If necessary, reach out to trusted third-party providers for assistance.
  • Monitor system logs and other security resources for unusual activity.
  • As the attack focuses on using Kaseya to deliver ransomware payloads, assure that data backup and related resiliency plans are up-to-date and functional.
  • Review and update existing incident response plans to prepare reaction in the event of a ransomware infection.
  • Strongly encourage third-party vendors to follow directions and information related to this attack.
  • Follow further CISA guidance as it becomes available. 

How we help

ACA Aponix offers the following solutions that can help your firm in light of the discovered vulnerability, software patching programming, Office 365 security configuration, and with data security in general.  

Download our Aponix Protect™ cybersecurity solution brochure.

If you have any questions, please contact your ACA Aponix consultant or contact our cyber team.