A hot potato: A ransomware attack has hit hundreds of businesses across the US, in a supply chain attack that targets Kaseya's VSA system management platform (used for remote monitoring and IT management). While Kaseya claims less than 40 of over 36,000 customers were affected, the targeting of large managed service providers has led to vast numbers of clients further downstream being hit as a result.

Kaseya states that it was made aware of a security incident around noon on Friday, as a result they put its cloud services into maintenance mode and issued a security advisory advising that all clients with a local VSA server to shut it down until further notice, as "one of the first things the attacker does is shutoff administrative access to the VSA." Kaseya also notified the FBI and CISA as well as started its own internal investigation.

The company's second update stated that the shutdown of cloud VSA was done solely as a precaution, and that customers using their SaaS servers "were never at risk." However, Kaseya also said that these services will remain suspended until the company determines it is safe to resume operations, and at the time of writing the cloud VSA suspension had been extended further to 9am ET.

How infected systems look. Image: Kevin Beaumont, via DoublePulsar

Ransomware gang REvil appear to have their payload delivered via a standard automatic software update. It then uses PowerShell to decode and extract its contents while simultaneously suppressing numerous Windows Defender mechanisms such as including real-time monitoring, cloud lookup, and controlled folder access (Microsoft's own built-in anti-ransomware feature). This payload also includes an older (but legitimate) version of Windows Defender, which is used as a trusted executable in order to launch a DLL with the encryptor.

It's not yet known if REvil is stealing any data from victims before activating their ransomware and encryption, but the group is known to have done so in past attacks.

The scale of the attack is still unfolding; supply chain attacks like these that compromise weak links further upstream (instead of hitting targets directly) have the potential to wreak havoc on a broad scale if those weak links are widely used – as Kaseya's VSA is, in this case. Furthermore, its arrival on the weekend of 4th of July seems to have been timed to minimize the availability of staff to deal with the threat and slowing the response to it.

A snapshot of Kaseya VSA software management

BleepingComputer initially stated that eight MSPs had been hit, and that cybersecurity firm Huntress Labs knew of 200 businesses compromised by the three MSPs that it was working with. However, further updates from John Hammond of Huntress show that the number of affected MSPs and downstream clients is far higher than those first reports and continues to grow.

Demands have varied wildly. Meant to be paid in cryptocurrency Monero, most ransom appear to start at $44,999, but they can go all the way up to $5 million. Similarly, the due date for payment – after which the ransom is doubled – also seems to vary between victims.

Of course, both figures are likely to depend on the size and scale of the target effected. REvil, which US authorities believe has ties to Russia, got $11 million out of meat processors JBS last month, and demanded $50 million from Acer back in March.

Masthead image: Bleeping Computer