Through a Kaseya supply-chain attack, a huge REvil ransomware campaign impacts many managed service providers and their clients.
Through what seems to be a Kaseya VSA supply-chain attack, the REvil ransomware gang, called Sodinokibi, targeted MSPs with thousands of customers.
In this supply-chain attack, at least eight significant MSPs have been identified.
Kaseya VSA is a cloud-based MSP platform that allows providers to manage patches and monitor their clients’ computers.
According to John Hammond of Huntress Labs, all of the affected MSPs use Kaseya VSA, and their clients are also encrypted.
There are three Huntress partners affected, with approximately 200 firms being encrypted.
Kaseya is presently investigating the matter and has released a security advice on its help desk site, advising all VSA customers to shut down their VSA server immediately in order to prevent the attack from spreading.
Kaseya has taken down its SaaS servers and is investigating the situation with the help of other security agencies.
A sample of the REvil ransomware was discovered to have been used in one of these attacks.
However, it is unclear whether this sample was exploited for all victims or if each MSP received its own ransom demand.
The ransomware gang has demanded a $5,000,000 ransom in exchange for a decryptor from one of the samples.
MSP clients that were hit by the ransomware attack, according to Emsisoft CTO Fabian Wosar, got a significantly lower $50,000 ransom demand.
MSPs are a lucrative target for ransomware groups because they give a simple way to infect a large number of businesses with a single breach.
The attackers did not exfiltrate any files because the REvil ransomware group generally steals data before installing the ransomware and encrypting machines.