One of the affected organizations is St Peter's School, Cambridge, New Zealand, which has confirmed that it is one of eleven schools in the country affected by this supply-chain attack. In an accompanying blog post, the organization says it is tracking about 30 MSPs in four continents "where Kaseya VSA was used to encrypt well over 1,000 businesses". Huntress has been maintaining a comprehensive Reddit thread on the incident since Friday. More details of the vast scope of the attack have emerged.
Cable krebs ransomwhere update#
Victims of this attack would have downloaded a malicious update called 'Kaseya VSA Agent HotFix' which was in fact meant to disable Windows Defender and push the file encryptor payload. According to the BBC, Swedish supermarket chain Coop had to close more than 400 stores on Friday after the point-of-sale terminals and checkouts stopped working. While Kaseya is a US-based company, some of of the MSPs' customers are businesses in Europe. At this time they are still urging customers to keep their on-premise VSA servers offline.Īccording to Bloomberg two of the affected managed service providers (MSPs) are Synnex Corp. Kaseya has released a new statement confirming they were the victim of a sophisticated cyberattack. We will update this post with more information as it becomes available, but the immediate guidance from Kaseya cannot be overstated: Shutdown VSA servers immediately. Otherwise, you can't return your data (NEVER)." By the way, everything is possible to recover (restore), but you need to follow our instructions. You can check it: all files on your system has extension 7pc78r01. =- Whats HapPen? Your files are encrypted, and currently unavailable.
Cable krebs ransomwhere software#
Kaseya is a popular software developed for Managed Service Providers that provide remote IT support and cybersecurity services for small- to medium-sized businesses that often cannot afford to hire full-time IT employees, due to their limited size or budgets.Ĭomplicating the attack is the fact that, according to cybersecurity researcher Kevin Beaumont, the malicious update carries administrator rights for clients’ systems, “which means that Managed Service Providers who are infected then infect their client’s systems.”įor a company that says it has 40,000 customers, this could be a disaster.ĭuring the attack, the cybercriminals reportedly shut off administrative access to VSA, and several protections within Microsoft Defender are disabled, including Real-Time Monitoring, Script Scanning, and Controlled Folder Access.Ī screenshot from Malwarebytes reveals a ransom note delivered to an infected Windows machine. The attack is reportedly delivered through a Kaseya VSA auto-update that maliciously pushes the Revil ransomware onto victims’ machines. It’s critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA.”
“We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us. “We are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only as of 2:00 PM EDT today,” Kaseya wrote on Friday afternoon. July 2, Shutdown Kaseya VSA immediatelyĪ severe ransomware attack reportedly taking place now against the popular Remote Monitoring and Management software tool Kaseya VSA has forced Kaseya into offering urgent advice: Shutdown VSA servers immediately.July 3, Two MSPs named, hundreds of Coop stores closed.July 4, 5:00 am, " Thousands affected", zero-day blamed.July 4, 4:00 pm, Malwarebytes telemetry shows surge in REvil detections.July 4, 8:50 pm, REvil asks for $70 million.July 5, 4:30 am, Kaseya releases compromise detection tool.July 5, 5:00 am, Kaseya flaw part of larger structural weakness in admin tools.July 6, 2:45 am, Ransom demand drops to $50 million, REvil branded "terrorists".July 6, 3:15 am, Malwarebytes telemetry reveals global scale of the attack.July 6, 3:40 pm, malspam using fake Kaseya security update.
Malwarebytes detects the REvil ransomware used in this attack as Sodinokibi. Malwarebytes does not use Kaseya products.
0 kommentar(er)
