Threat Management, Malware, Managed Services, Ransomware

Kaseya VSA criminals may have ‘weaponized’ links in ransom negotiations

A man walks through a Microsoft server farm in Switzerland. (Amy Sacka for Microsoft)

In a Saturday update to the ongoing VSA ransomware attacks, Kaseya warned victims not to click on links sent in communications with the ransomware operators.

"We have been advised by our outside experts, that customers who experienced ransomware and receive a communication from the attackers should not click on any links – they may be weaponized," the company wrote on its site.

Ransomware attacks leveraging a zero-day in the on-premises Kaseya VSA remote IT management product started Friday afternoon and struck dozens of managed service providers and thousands of those MSPs customers.

Huntress Labs, one of the firms leading research into the attack, says it has seen more than 20 MSP clients alone.

“We can only comment on what we’ve observed, which has been around 20 MSPs who support over 1,000 small businesses, but that number is expanding quickly,” said Huntress researcher John Hammond Friday night.

In an early statement, Kaseya said it believed fewer than 40 total clients had been hit. The Saturday morning update did not list a number, but was similarly optimistic about the scope of an attack a single vendor had seen 20 instances of.

"Due to our  teams’  fast response, we believe that this has been localized to a very small number of on-premises customers only," the company wrote.

The ransomware is being operated by a REvil affiliate group.

"This feels like the nightmare scenario for an MSP, where the RMM solution that inherently has administrative access to all their clients and customers, is compromised and abused to send out ransomware," Hammond added this morning. We often talk about MSP's being the 'mothership' for SMBs and organizations, but if Kaseya is what is hit, bad actors just compromised... potentially all of the motherships."

It is uncommon for ransomware operators to have access to a zero-day, particularly in a product as widely used as Kaseya.

"Everyone is focused on the [number of] affected customers but, if I am reading this sentence correctly, REvil used a 0-Day vulnerability to gain access to @KaseyaCorp and its clients. That is huge, I don’t think I have seen a ransomware gang use a 0-Day in an attack before," wrote Recorded Future CSIRT Allan Liska on Twitter.

This story is developing. Check back for updates.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.