Kaseya VSA Ransomware

REvil operators likely planned this attack on Kaseya VSA servers knowing the Fourth of July weekend was approaching. With many companies short-staffed for response to this issue, REvil operators will be wreaking havoc within networks.

Kaseya VSA, which provides remote monitoring and management to organizations, was hit with REvil ransomware and the organizations affected have confirmed REvil is encrypting files. At least 40 organizations that Kaseya provided for have been affected, but what compounds the issue is some of these organizations are MSPs with connection to many smaller and medium sized businesses.

Companies that run Kaseya VSA on-premises servers are urged to keep the servers off.

The REvil ransomware operators initiated the attack by delivering the malware bundle of the ransomware, a copy of Windows Defender, and a digitally signed certificate. REvil operators can successfully work around Windows’ malware checks and run the ransomware.

Our engineers have also discovered the AvTek phone company as one of the major providers pushing the ransomware. Unfortunately, all of their customers were hit.

Recovered ransom notes show that the REvil group has requested $45,000 in Monero from some victims.

Known IoCs:

agent.crt - 2093c195b6c1fd6ab9e1110c13096c5fe130b75a84a27748007ae52d9e951643

agent.exe - d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

mpsvc.dll - e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2

mpsvc.dll - 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd

The ransomware landscape is evolving every day, and the combination of ransomware and supply-chain attacks can create a massive problem moving forward. Be proactive in protecting your organization with SpearTip’s services. Our 24/7 approach allows your team to be relieved of the pressure to protect critical assets, especially on weekends and holidays when your team isn’t hard at work. This REvil attack timing shows how important a 24/7 SOC monitoring your networks can be.

SpearTip’s team of engineers has been working diligently through the weekend and remain available 24/7 for assistance with Kaseya servers. Call 833.997.7327 to speak directly with one of our engineers with any questions.

View our breaking article with information from SpearTip’s immediate investigation.