In a Monday update to its restoration timeframe, Kaseya said its board determined the company was not ready to begin the rollout of restoration of its software-as-a-service VSA remote monitoring and management tool following the ransomware incident. That decision appears to delay the release of a patch for on-premises clients.
Since Friday, Kaseya VSA's on-premises customers have experienced a ransomware offensive from a REvil affiliate that exploited two zero-day bugs in the code – an authentication bypass and one of several SQL injections, according to research from Huntress Labs. Kaseya quickly shut down the SaaS version of VSA as a precaution and told on-premises users to shut down its service. Over the weekend, the Cybersecurity and Infrastructure Security Agency and the FBI both repeated the recommendation to shut down VSA on-premises.
"We are developing the new patch for on-premises clients in parallel with the SaaS Data Center restoration. We are deploying in SaaS first as we control every aspect of that environment. Once that has begun, we will publish the schedule for distributing the patch for on-premises customers," the company wrote on its website.
Kaseya has released a breach detection tool for clients. While it was first available only by emailing the company, it is now accessible at this link.
Kaseya currently estimates between 50-60 of its clients have been hit by REvil ransomware in the attack. But Kaseya's client base is overwhelmingly managed service providers, each of which can be leveraged to infect entire rosters of clients. Huntress believes the downstream victims of the attack number within the thousands.
Ransom requests to individual companies have ranged from the tens of thousands to $5 million. On Sunday night, the REvil group posted to its blog that it would release a universal decryptor for $70 million.
"There are some factors that stand out in this attack when compared to others," wrote Sophos on its blog detailing the breakdown of the attack. "First, because of its mass deployment, this REvil attack makes no apparent effort to exfiltrate data. Attacks were customized to some degree based on the size of the organization, meaning that REvil actors had access to VSA server instances and were able to identify individual customers of MSPs as being different from larger organizations. And there was no sign of deletion of volume shadow copies — a behavior common among ransomware that triggers many malware defenses."