Alleged Kaseya REvil Ransomware Hacker Extradited, Arraigned

• How many customer endpoints overall were encrypted? The hackers claimed to have hit 1 million endpoints, but the actual figure remains unclear.

• Alleged Kaseya Hacker Extradited: Yaroslav Vasinskyi, the alleged Kaseya VSA hacker, was extradited and arraigned in a Dallas, Texas court, this week.

• The FBI admitted that it hid for nearly three weeks a decryption key that would have unfrozen systems of dozens of MSPs and hundreds of businesses crippled by the REvil ransomware attack on Kaseya’s VSA software in July 2021.

• The universal decryption key for REvil's attack on Kaseya's customers has been leaked on hacking forums allowing researchers their first glimpse of the mysterious key. Source: Bleeping Computer, August 11, 2021.

• Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor key for the REvil Ransomware attack that struck on July 2, 2021, the MSP software company disclosed on July 26, 2021.

• Customers have to sign a non-disclosure agreement (NDA) in order to receive the decryption key from the software company, CNN reports. The non-disclosure practice is not uncommon in the cyber market, but the NDA could make it more difficult to understand the overall attack and recovery, CNN notes.

• Kaseya on July 21 obtained a decryptor for victims of the REvil ransomware attack, and the company is working to remediate customers impacted by the incident, the company disclosed on July 22. Kaseya did not say whether the company paid the REvil ransomware gang any type of extortion to obtain the key. Emsisoft has confirmed the key is effective at unlocking victims, Kaseya adds.

• After a July 6 delay, Kaseya's SaaS-based VSA platform began a re-activated with security enhancements on Sunday, July 11, 2021. The SaaS restore appears complete, though Kaseya did have some unplanned SaaS infrastructure maintenance during the restore day.

• Kaseya remains on track to release the VSA On-Premises Patch and begin deployment to the VSA SaaS Infrastructure today (Sunday, July 11 at 4:00 PM EDT), the company said. Voccola disclosed the July 11 target in a video released on July 7. The fixes originally were scheduled to roll out on July 6, but Voccola halted the July 6 rollout in order to take additional security steps, he said on July 7.

• Kaseya executives allegedly were warned of critical security flaws in its software before the July 2021 ransomware attack, according to five former employees. Kaseya did not comment for the report. Source: Bloomberg, July 10, 2021.

Dear Partners,  

We have received some questions about when we will re-enable IT Glue/Kaseya integrations following the ransomware attack against Kaseya, which impacted some of our shared partners. Given the sophistication and scope of the attack, we temporarily disabled integrations between Kaseya platform products and ConnectWise. 

We will re-enable the IT Glue integration (and others) once we officially confirm that there is no vulnerability or threat through third-party validation or through our own due diligence to confirm there is no risk to our partners as it relates to this incident. If it is confirmed that there was in fact a compromise of anything on the Kaseya or IT Glue side that integrates with ConnectWise applications, cybercriminals could, in certain situations, potentially leverage that to possibly exfiltrate data or execute code remotely. We engaged with Kaseya to ensure our concerns are not only heard but addressed, and currently the third-party validation provided confirms VSA’s exposure but did not indicate any analysis had been done for IT Glue or other Kaseya solutions. We’ve requested this from Kaseya/IT Glue and we have also offered to help fund such an audit.

We apologize for the delay, but our top priority continues to be ensuring our partners and your clients are protected. Thank you for your patience as we work through the fallout from the Kaseya attack. We will continue to provide you with regular updates. In the meantime, you can find resources at https://www.connectwise.com/company/trust or https://www.connectwise.com/company/rapid-response.

Thank you for your partnership.  

Sincerely,  
Tom Greco
CISO, ConnectWise

• Kaseya expected its SaaS servers to be back online July 6 between 4:00 p.m. and 7:00 p.m. ET, but an issue popped up that delayed the restart.
• Kaseya has developed a patch for on-premises customers, and expects the patch to be available within 24 hours (or less) after the company's SaaS servers have been brought up.  
• The company's noon ET statement today also described additional security measures that are in place.
• Synnex confirmed that hackers have targeted Synnex in an attempt to access customer applications within Microsoft's cloud, but the distributor seemed to indicate that this particular threat had been addressed, and Synnex seemed to distance itself from the Kaseya VSA attack. Source: Synnex.
• Senior members of the Biden administration’s national security team plan to meet with senior members of the Kremlin following a supply-chain attack that delivered ransomware to as many as 1,500 entities via network management software firm Kaseya, according to White House Press Secretary Jen Psaki. Source: NextGov, July 6, 2021.

• VSA is the only Kaseya product affected by the attack and all other IT Complete modules are not impacted, the company says.
• The REvil Ransomware gang is demanding $70 million in Bitcoin for a tool that can decrypt all the affected systems, Bleeping Computer reports.
• Kaseya CEO Fred Voccola spoke with U.S. Deputy National Security Advisor Anne Neuberger about the attack. Voccola told the White House that Kaseya wasn’t aware of any critical infrastructure that had been hit by the ransomware or of any victims related to national security, The Wall Street Journal reports.

• Kaseya has hired FireEye Mandiant to investigate the attack.
• Between 50 and 60 Kaseya customers were hit, Kaseya CEO Fred Voccola told the associated press.
• The report did not mention how many MSP end-customers and end-points suffered ransomware attacks.
• The attack spans victims in at least 17 countries -- including the United Kingdom, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand and Kenya, ESET reports.
• The Swedish grocery chain Coop said most of its 800 stores would be closed for a second day Sunday because their cash register software supplier was crippled.
• A Swedish pharmacy chain, gas station chain, the state railway and public broadcaster SVT were also hit.
• Two big Dutch services companies — VelzArt and Hoppenbrouwer Techniek -- were hit.
• Sources: The Associated Press, ESET.

• The White House confirmed that it has been working with the FBI, CISA and Kaseya to investigate the Kaseya cyberattack since July 2.
• 2:06 p.m. ET: The CISA and FBI issued this guidance for MSPs and end-customers affected by the Kaseya VSA supply chain ransomware attack.
• 9:05 a.m. ET: Kaseya introduced this VSA Detection Tool to help MSPs determined if their RMM software has been attacked/compromised. The tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present, the CISA notes.

"We are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only as of 2:00 PM EDT today.

We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us.

Its critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA."

 "We are in the process of investigating the root cause of the incident with the utmost vigilance, we have: (a.) Notified all of our on-premise customers to immediately shutdown their VSA servers and (b.) shut down our SaaS Servers.

We have been further notified by a few security firms of the issue and we are working closely with them as well. While we continue to investigate the incident, we will update our customers (and interested parties) as we have more information."

• "We were first notified at 12:35 ET today and it has been an all-hands-on-deck evolution to respond and make the community aware. The ransomware does have a digital signature. The Kaseya team has been very responsive with our threat intelligence."
• "We cannot emphasize enough that we do not know how this is infiltrated in Kaseya's VSA. At the moment, no one does."
• "We are aware of four MSPs where all of the clients are affected -- three in the U.S. and one abroad."
• "MSPs with over thousands of endpoints are being hit."
• "We have seen that when an MSP is compromised, we've seen proof that it has spread through the VSA into all the MSP's customers."
• "Kaseya's VSA could be either on-premises or cloud hosted. They currently have all of their cloud servers offline for emergency maintenance."
• "To the question 'does this indicate Kaseya is breached?': Right now, across the now half-dozen MSPs that we know are compromised -- the single commonality is Kaseya VSA."
• "Based on everything we are seeing right now, we strongly believe this REvil/Sodinikibi."
• "Currently We have three Huntress partners that are impacted with roughly 200 businesses encrypted."
• "The legitimate Windows Defender executable was used to side-load a malicious DLL."