Threat Management, Malware, Managed Services, Ransomware

‘Turn off your heart’: Kaseya VSA ransomware hits MSPs in a vital organ

IIS malware was first identified in 2013, but was most recently a component of the Halfnium Exchange campaign.
(“Server room” by torkildr is licensed with CC BY-SA 2.0. To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/2.0/
Kaseya ransomware attacks strike at software at the center of the enterprise: the remote monitoring and management (RMM) platform. ("Server room" by torkildr is licensed under CC BY-SA 2.0)

The flurry of ramsomware attacks starting Friday, targeting on-premises Kaseya VSA applications are particularly frightening to managed service providers, because they strike at software at the center of the enterprise: the remote monitoring and management (RMM) platform.

In any other case, an RMM would be central to the recovery to an attack. They can be irreplaceable components of incident response plans.

"The thing I think a lot of people are missing here is that these MSPs are using these systems to do the remote administration. It's the one way that they have to go manage the system. They don't have a fallback. There's no contingency plan for them," said Jake Williams, chief technology officer of Rendition Infosec and the incident response firm BreachQuest.

The scope of the ransomware outbreak leveraging Kaseya VSA remains fluid, but the number of customers impacted could be significant. VSA is popular — Williams called it "the Coca-Cola" of RMM — so the potential exposure is fairly wide. They said, Kaseya quickly told on-premises customers to shut servers down, limiting some exposure. While Kayesa said Friday that it believed under 40 MSPs had been infected, a single security vendor, Huntress Labs, said it was aware of more than 20 cases of infection. Thousands of clients to those MSPs were exposed, with Huntress reporting ransom demands as high as $5 million.

Danny Jenkins, CEO of the MSP zero-trust solution ThreatLocker, said security software flagged the files associated with the attack appeared in "30 to 40 percent" of clients running Kaseya VSA on-premises.

VSA is not the first IT management software to be used in a ransomware attack, nor is it the first supply chain hack to have downstream effects. SolarWinds would be an example of both.

Read more: Kaseya VSA criminals may have ‘weaponized’ links in ransom negotiations

"it's happened over and over again," said Jenkins. "I spoke to one MSP who just three weeks ago were in contract with Kaseya, because they just left a different vendor, because they had been compromised through them."

While the recent spate of supply chain and IT management software attacks are worrying trends in and of themselves, said James Shank, chief architect of community services for Team Cymru, and the lead of the "Worst Case Scenario's" discussion group at the recent multistakeholder Ransomware Task Force, the centrality of RMM software makes VSA a unique case.

"RMM is the lifeblood of these businesses," agreed Jenkins. "So Kaseya saying turn off VSA is like them saying turn off your heart. It's gonna kill you. MSPs say when they turn it off that they're essentially turning off the lights."

Kaseya has said they have identified the vulnerability used in the attacks and will soon issue a patch. In the meantime, they continue to recommend shutting down VSA.

In the broader sense, Shank warns that RMM will continue to be a target, and MSPs and their clients should be prepared.

"Planning around critical platforms being unavailable is going to have to become part of the toolkit. Because, especially as ransomware becomes more and more common, and it's certainly quite common today, the availability of any particular system is not a guarantee," he said.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.