Updated: Kaseya said it has delayed the reboot of its VSA SaaS servers after discovering an “issue” that has “blocked the release”. Kaseya had been aiming to restore them by 6 AM US EDT on Wednesday after it shut them down during the ransomware attack.
“Unfortunately, the VSA SaaS rollout will not be completed in the previously communicated timeline,” the company said in an update. “We apologise for the delay and R&D and operations are continuing to work around the clock to resolve this issue and restore service.”
Kaseya said it will provide another update at 8 AM US EDT.
Up to 1,500 businesses worldwide have been affected by a cyberattack that weaponised software provided by IT vendor Kaseya into a ransomware payload.
The Miami-based company said on Monday that it is aware of 60 Kaseya customers who were “directly compromised” by the ransomware attack. However, because many of these companies use Kaseya VSA software to provide IT services to other companies, the number of victims has multiplied.
The system scrambling malware has led to major disruption at grocery stores, schools, a national railway system and hundreds of other businesses.
Kaseya said it has developed a security patch for its on-premises customers and it is currently going through “testing and validation”. In the meantime, it is keeping its software-as-a-service (SaaS) servers offline, with the aim of restoring them between 2pm and 5pm EDT on Tuesday. While Kaseya’s SaaS products are unaffected, it took all servers offline over the weekend as a precaution.
It will bring Kaseya Virtual System Administrator (VSA) software – a tool used by IT teams to remotely manage systems – back online in stages. Kaseya continues to advise all businesses to keep on-premises VSA Servers offline until they are notified it is safe to restore them.
The company provides IT services to some 40,000 businesses globally, many of which are managed service providers. On Friday it released a tool to detect compromise, which the company says has been downloaded 2,000 times.
There have been no new reports of VSA customers being compromised since Saturday, Kaseya added. Cybersecurity companies including US-based Huntress Labs said it believes Russia-linked ransomware syndicate REvil was behind the attack, which was launched on Friday 2 July. President Joe Biden has instructed US intelligence agencies to investigate but Russia said it has not received any communication about the attack.
“I have no information that any data was provided. No, no data was received,” Kremlin spokesman Dmitry Peskov told news agency Interfax, adding that the Kremlin was not aware of the attack.
REvil gang demands $70m to end mega hack
The Russian-speaking ransomware syndicate REvil has claimed responsibility for a huge cyberattack scrambling the systems of at least 1,000 companies worldwide and is asking for a $70m ransom fee to decrypt them.
The REvil gang launched the attack on Friday evening after breaking into Miami-based IT provider Kaseya. It then used that access to launch further attacks against managed service providers (MSPs) employing Kaseya VSA software, setting off a chain reaction of organisations infected with system encrypting malware.
REvil, which rents out its ransomware software and infrastructure to other hackers and takes a portion of their earnings, claimed it had infected “more than a million systems”.
Cybersecurity company Huntress said it was aware of “well over 1,000 businesses” which had been affected by the Kaseya VSA ransomware attack, making it one of the largest such attacks ever.
In a dark web blog post, the REvil gang said: “We launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70 000 000$ in BTC and we will publish publicly decryptor.”
It is unclear how REvil expects the sprawling and disparate list of affected organisations to make a joint payment. According to cybersecurity company ESET, the Kaseya hack has hit organisations in the US, UK, South Africa, Canada, Germany and Colombia.
Kaseya said on Sunday that the “sophisticated” ransomware attack affected a “very small number of on-premises customers only”.
Coop Sweden is one of the organisations caught up in the attack and was forced to close stores over the weekend after its point-of-sale tills and self-service checkouts stopped working. It is now in the process of manually rebooting each machine in some 400 stores.
US President Joe Biden said on Saturday he has directed US intelligence agencies to investigate the attack.
The US Cybersecurity & Infrastructure Security Agency (CISA) said it is “taking action” and encouraged organisations to “review” Kaseya’s advisory and “immediately” shut down VSA servers.
REvil is believed to have used a zero-day – a type of exploit for which no security fix yet exists – in the Kaseya hack. The attackers used MSPs running Kaseya VSA software as their distribution method in what is known as a supply chain attack.
“Usually, this software offers a highly trusted communication channel that allows MSPs unlimited privileged access to help many businesses with their IT environment,” said Sophos director of engineering Mark Loman.
Kaseya CEO Fred Voccola said the company would release a patch “as quickly as possible” after identifying the source of the vulnerability.
Cybersecurity experts said the Kaseya ransomware attack was deliberately launched on the Fourth of July holiday weekend to cause maximum disruption. It follows a spree of ransomware attacks that have seen criminal gangs collect multi-million dollar payouts, sparking debate over whether ransom payments should be banned.
REvil, also known as Sodinokibi, is one of the most prolific ransomware gangs in the world and was blamed by the FBI for an attack against the world’s largest meat supplier JBS, forcing it into making an $11m ransom payment.