About 60 Kaseya customers hit by REvil

by Joseph K. Clark

The number of managed service provider (MSP) customers impacted by a wide-ranging REvil/Sodinokibi ransomware attack orchestrated through Kaseya’s VSA product has been revised upward from around 40 to about 60.

The attack, which unfolded on 2 July, has disrupted some 1,500 downstream customers – many small and medium-sized enterprises (SMEs) of the affected MSPs.

In a new statement released within the past 24 hours, Kaseya said it had received no reports of any further compromises for VSA users since 3 July and had found no evidence that any of its software-as-a-service (SaaS) customers have been impacted. It added that VSA is the only product compromised, and all its other services are unaffected.

“Our executive committee met this afternoon [5 July] at 6.30 pm EDT [11.30 pm BST] to reset the timeline and process for bringing our SaaS and on-premises customers back online,” said the firm. “The patch for on-premises customers has been developed and is currently going through the testing and validation process. We expect the patch to be available within 24 hours after our SaaS servers have been brought up.”

Kaseya expects to return its SaaS servers online on 6 July between 7 pm and 10 pm UK time and will make a final decision imminently. It said it would release VSA with staged functionality to recover services sooner, with the first release preventing access to some functionality for the time being.


It has also met with US authorities to discuss the system and network hardening requirements for SaaS and on-premise customers and will post these requirements again. The patch will likely be required to be installed before restarting. In the meantime, all on-premise VSA servers must remain offline.

“Our outside experts have advised us that customers who experienced ransomware and received communication from the attackers should not click on any links – they may be weaponized,” it added.

So far, few of the impacted MSP customers have identified themselves. Still, Netherlands-based Velzart, a cloud, IT, and networking services provider, keeps its customers informed of its recovery progress via its blog.

At the end of Monday, 6 July, the firm reported that it had technically repaired 70% of impacted servers and returned them to customer use. It was expected to restore the rest of its server estate by Wednesday. The firm thanked its clients for their patience, understanding, technical assistance, and refreshments.

As more information continues to trickle out about the attack, it is now becoming clear that REvil accessed on-premise instances of the VSA server through a newly uncovered zero-day – as previously disclosed, probably an SQL injection vulnerability – and delivered the ransomware payload via an automatic update rolled out disguised as a management agent. Sophos noted that this gave the gang additional cover to sneak past defenses by exploiting customer trust in the VSA product.

Related Posts