As was reported earlier, MSP vendor Kaseya was hit by a massive ransomware attack from REvil (Sodinokibi) at the end of last week. The hackers exploited a 0-day vulnerability in the company’s product (VSA) and attacked Kaseya’s customers.
The problem is that majority of the affected VSA servers were used by MSP providers, that is, companies that manage the infrastructure of other clients. This means that the cybercriminals have deployed the ransomware in thousands of corporate networks.This incident could be the largest ransomware attack in history. The fact is that unlike the attacks of WannaCry, NotPetya and Bad Rabbit, which were more widespread, those incidents were associated with “government” hackers, and not with financially oriented groups, such as REvil.
Affected companies received ransom notes of $50,000 (if the infected machines were not joined to a domain) or $5,000,000 (if the computer was joined to a domain, that is, was part of a large corporate network).
In addition, the operators of REvil demanded a ransom of $70 million, and then promised to publish a universal decryptor that can unlock all computers affected by the Kaseya hack. Currently, hackers have lowered the demands to $50 million.
Soon after the incident, company’s CEO Fred Voccola hastened to assure the media that the attack affected less than 40 of Kaseya’s 36,000 customers. Now the company clarifies that the talk is about 60 victims, that is, MSP-providers through which hackers were able to encrypt approximately 800-1500 corporate networks.
Below you can see the official statement of the head of the company.
Let me remind you that the REvil attacks on the Kaseya VSA servers led to problems in the most unexpected places, including the Coop supermarket chain in Sweden, kindergartens in New Zealand and some administrative institutions in Romania. Currently, five MSPs have publicly admitted that they have been attacked by the ransomware, these are VelzArt, Hoppenbrouwers, Visma EssCom, Synnex and Avtex.
Interestingly, Kaseya refuses to view the incident as an attack on the supply chain. For example, the company insists that the attackers exploited the CVE-2021-30116 vulnerability in the VSA directly, but did not interfere with the code base in order to spread malware.
Let me remind you that we also wrote that Experts lured details of cashing ransoms by REvil operators.