Threat Management, Malware, Managed Services, Ransomware

At long last: Kaseya restores VSA services shelved after ransomware row

Kaseya released its long-awaited patch for on-premises versions of its VSA remote monitoring and management software on Sunday and began its rollout of the software-of-a-service version of the tool.

The company advised on-prem VSA users to turn their systems off nine days ago during a flood of ransomware. Kaseya quickly turned off its SaaS version as a precautionary measure, despite no known hacking arising from the SaaS product. VSA had been offline since Forth of July weekend, leaving customers — primarily managed service providers — without mission-critical software.

"The restoration of our VSA SaaS Infrastructure has begun. We will send email notifications as the individual instances come back online over the next several hours," wrote Kaseya on its blog.

The ransomware was installed by an affiliate of the REvil group, using a chain of vulnerabilities in VSA software, including an authentication bypass and a SQL injection.

According to Huntress Labs researcher John Hammond, the on-premises patch appears to work. Huntress was one of the first groups to describe the vector used in the attack, and one of the first groups to describe the attack when it was in progress.

"With this patch installed, our previous proof-of-concept exploit now fails — and we believe the attack vector is no longer present," he said, via email.

Kaseya announced last week it would spend "millions" of dollars subsidizing customers impacted by the breaches and differing subscription payments for those who needed it.

The company has stated it believes between 50 and 60 total customers were victims of the REvil outbreak, but with a large MSP client base, Kaseya believes around 1500 total downstream businesses were ultimately infected.

Kaseya released restart guides for both its SaaS and on-premises VSA products. It also repeatedly warned that any email Kaseya VSA criminals may have ‘weaponized’ links in ransom negotiations claiming to contain a patch or linking to a patch is fraudulent and that customers should obtain the patch through the regular KINSTALL method after following their pre-installation hardening guidance.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.