The number of managed service provider (MSP) customers impacted by a wide-ranging REvil/Sodinokibi ransomware attack orchestrated through Kaseya’s VSA product has been revised upward from around 40 to about 60.
The attack, which unfolded on 2 July, has so far caused disruption to some 1,500 downstream customers – many of them small and medium-sized enterprises (SMEs) of the affected MSPs.
In a new statement released within the past 24 hours, Kaseya said it had received no reports of any further compromises for VSA users since 3 July, and had found no evidence that any of its software-as-a-service (SaaS) customers have been impacted. It added that VSA is the only product compromised, and all its other services are unaffected.
“Our executive committee met this afternoon [5 July] at 6.30pm EDT [11.30pm BST] to reset the timeline and process for bringing our SaaS and on-premises customers back online,” said the firm.
“The patch for on-premises customers has been developed and is currently going through the testing and validation process. We expect the patch to be available within 24 hours after our SaaS servers have been brought up.”
Kaseya currently expects to bring its SaaS servers back online later on 6 July between 7pm and 10pm UK time, and will make a final decision on this imminently. It said it will release VSA with staged functionality to recover services sooner, with the first release preventing access to some functionality for the time being.
It has also met with US authorities to discuss system and network hardening requirements for both SaaS and on-premise customers, and will post these requirements, again, imminently. It is likely that the patch will be required to be installed before restarting. In the meantime, all on-premise VSA servers must remain offline.
“We have been advised by our outside experts that customers who experienced ransomware and received communication from the attackers should not click on any links – they may be weaponised,” it added.
So far, few of the impacted MSP customers have identified themselves, but Netherlands-based Velzart, a provider of cloud, IT and networking services, has been keeping its customers informed of its recovery progress via its blog.
At the end of Monday 6 July, the firm reported that it had technically repaired 70% of impacted servers and returned them to customer use, and expected to restore the rest of its server estate by Wednesday. The firm went on to thank its clients for their patience and understanding, as well as technical assistance and even refreshments.
As more information continues to trickle out about the attack, it is now becoming clear that REvil accessed on-premise instances of VSA server through a newly uncovered zero-day – as previously disclosed, probably an SQL injection vulnerability – and delivered the ransomware payload via an automatic update rolled out disguised as a management agent.
As noted by Sophos among others, this gave the gang additional cover to sneak past defences by exploiting customer trust in the VSA product.