Kaseya VSA Ransomware Attack Hits Nearly 40 MSPs

‘When an MSP is compromised, we‘ve seen proof that it has spread through the VSA into all the MSP’s customers. MSPs with over thousands of endpoints are being hit,’ said Huntress Senior Security Researcher John Hammond.


The cyberattack against Kaseya’s VSA remote monitoring and management software has affected nearly 40 of the company’s on-premises MSP customers, according to CEO Fred Voccola.

The New York and Miami-based IT service management vendor said the cyberattack impacted only a small percentage of its more than 36,000 customers, with none of Kaseya’s SaaS customers ever at risk. Numerous security researchers – as well as the Cybersecurity and Infrastructure Security Agency (CISA) – have called the incident a supply-chain ransomware attack, but Kaseya hasn’t confirmed those reports.

“We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for our on-premises customers that will be tested thoroughly,” Voccola wrote in an update posted to Kaseya’s website at 10 p.m. ET Friday. “We will release that patch as quickly as possible to get our customers back up and running.”

Sponsored post

[Related: Kaseya Takes RMM Tool Offline Following ‘Potential Attack’]

The impact of the Kaseya cyberattack is likely to be significantly broader than just the 40 directly affected MSPs since a single MSP often serves dozens (or even hundreds) of end customers. For instance, managed detection and response (MDR) vendor Huntress found that roughly 200 end users had been encrypted even though just three of the company’s MSP partners were actually compromised.

“When an MSP is compromised, we’ve seen proof that it has spread through the VSA into all the MSP’s customers,” John Hammond, senior security researcher at Huntress, said in a statement emailed to CRN. “MSPs with over thousands of endpoints are being hit.”

Similarly, Axcient told CRN that although not many of its MSP partners were affected, those who were suffered a deep blow, with multiple systems across the MSP’ entire customer base impacted, said Ben Nowacky, SVP of Product. Affected MSPs should reach out to their insurance carrier to see if they must work with a specific incident response vendor and to their backup vendor for help with data recovery.

“The scope of the attack is really going to be determined by how quickly word gets out to shut down VSA until a patch can be released, and MSPs having their incident response plans current and able to be executed,” Nowacky told CRN.

Voccola said Kaseya expects to restore VSA service to its SaaS customers within the next 24 hours once the company can confirm that these customers are not at risk. All on-premise VSA servers should continue to remain down until Kaseya instructs that it’s safe to restore operations. The company said a patch will have to be installed before restarting the on-premise VSA.

“We engaged our internal incident response team and leading industry experts in forensic investigations to help us determine the root cause of the issue,” Voccola wrote in his Friday evening update. “We notified law enforcement and government cybersecurity agencies, including the FBI and CISA.”

Several security researchers, including Huntress, have attributed the Kaseya VSA cyberattack to the notorious REvil ransomware gang (also known as Sodinokibi), which was most recently behind the colossal attack on meatpacking giant JBS. REvil was first spotted in April 2019 and refuses to target machines located in Russia or the former Soviet republics, CrowdStrike’s Adam Meyers told CRN in 2020.

One REvil victim was told they’d have to pay a $5 million ransom by July 5 to receive a decryptor, after which point the ransom would be doubled to $10 million, according to BleepingComputer. It’s unclear if the same ransomware sample was used against all victims or if each MSP victim received its own separate ransom demand, BleepingComputer said.

A text-based README is written into various directories on the victim’s system, which functions as a ransom note, according to a blog post late Friday from Cisco Talos.

“If you will not cooperate with our service – for us, its [sic] does not matter,” REvil wrote in its ransom note, according to a screenshot posted by Talos. “But you will lose your time and data, cause just we have the private key. In practice – time is much more valuable than money.”