On Friday, July 2, 2021, hackers launched a sophisticated ransomware attack on Kaseya’s remote management Virtual System/Server Administrator (VSA) software, compromising the IT service providers who use the tool as well as their downstream clients. On Monday, July 5, the hackers demanded a $70 million ransom to provide a decryption tool.

 

Pax8 and our security vendors have been closely monitoring the developments related to the ransomware attack on the Kaseya VSA product since it was announced. Kaseya and many Pax8 vendors are providing regular updates to clients and reseller partners about the situation, including instructions on how to protect their businesses.

 

#1 Recommendation

Key among the current recommendations from Kaseya is that all on-premises VSA servers should continue to remain offline until further instructions are issued by Kaseya about when it is safe to restore operations.

 

Security Vendor Recommendations

Below are some extracts from Pax8 security vendor communications after the attack.

 

Bitdefender (as of July 2)

“Kaseya issued an advisory and has urged their customers to immediately shut down on-premises VSA servers. We recommend that any Kaseya VSA users follow this guidance immediately… Check on-premises and hybrid environments for known indicators of compromise (IoCs).”

 

Proofpoint (as of July 5)

“Proofpoint has a limited number of Kaseya servers supporting non-production environments. We shut these servers down as requested on July 2nd, and they remain shut down pending further information from Kaseya. Proofpoint has reviewed all known indicators of compromise and at this point has not seen any evidence that we have been impacted by the attack.”

 

SentinelOne (as of July 3)

“SentinelOne agents protect from this supply chain attack. Our teams will continue to hunt and search for any indications of this attack 24/7/365. We’re also working to ensure no exclusions were set that could allow the attack to occur.”

 

NovaSOC (as of July 2)

“Kaseya is recommending VSA servers be shut down immediately. They have not indicated their cloud/SaaS solutions are definitively impacted but those servers appear to be down for maintenance at this time, likely to preserve the environment during their in-house investigation.”

 

Stay on Top of Security Vendor Updates

To help our partner community stay on top of the issue, Pax8 is compiling the complete client and partner advisories from our security vendors and making them available at the link below. We will continue to update this resource as new advisories are issued.