REvil strikes again: Kaseya VSA ransomware

The infamous group of cybercriminals, known as REvil, carried out another ransomware attack, after those against Travelex, Acer e JBS. The new target is Kaseya VSA, a cloud platform for IT service management. The ransomware was installed via a software update. Ransomware Against Kaseya VSA: Over 1,000 Businesses Affected Kaseya VSA is a software platform for remote monitoring and management of IT infrastructures. Many companies outsource management to so-called MSPs (Managed Service Providers). Cybercriminals have therefore attached around 30 MSPs in different countries around the world and therefore over 1,000 of their customers. Kaseya confirmed this, stating that only VSA (on-premises) servers were affected, not SaaS servers. For security, the US software house has also shut down SaaS servers. By exploiting a vulnerability in Kaseya VSA, cybercriminals have distributed a fake update containing the ransomware. At the moment of its execution, the file encryption process is started. The malware also runs a PowerShell script to disable various Microsoft Defender features.Kaseya VSATo receive the decryption key, ransoms of approximately $ 50,000 were demanded from small businesses and up to $ 5 million from large corporations. Obviously, the payment must be made in cryptocurrency. It is unclear whether any data was stolen from the affected computers. Kaseya will release a Compromise Detection Tool to recover files and will release a patch to fix the vulnerability soon. The VSA servers will only need to be restarted after installing the update. Update: Kaseya has press release that the SaaS servers will be restarted starting today. Subsequently, the patch deployment will be scheduled for the on-premises VSA servers. Meanwhile the REvil group has confirmed to be the perpetrator of the attack, demanding a ransom of $ 70 million in Bitcoin.REvil Kaseya ransom

Categories:   Security