Breach, Content

Alleged Kaseya REvil Ransomware Hacker Extradited, Arraigned

Share

An alleged hacker purportedly involved in the July 2021 ransomware attack against Kaseya has been extradited to the United States and arraigned, The U.S. Department of Justice indicated.

The Kaseya VSA supply chain cyberattack hit roughly 50 MSPs on July 2, 2021. The REvil ransomware attack spread from the MSPs to between 800 and 1,500 businesses worldwide, Kaseya CEO Fred Voccola told Reuters on July 5, 2021.

Fast forward to March 2022, and alleged hacker Yaroslav Vasinskyi was extradited and arraigned in a Dallas, Texas court.

An indictment, unsealed on November 8, 2021, charged Vasinskyi, 22, a Ukrainian national, with conducting ransomware attacks against multiple victims, including the July 2021 attack against Kaseya, the DOJ said.

The department also seized $6.1 million in funds traceable to alleged ransom payments received by Yevgeniy Polyanin, 28, a Russian national, who is also charged with conducting Sodinokibi/REvil ransomware attacks against multiple victims, including businesses and government entities in Texas on or about Aug. 16, 2019.

White House Deputy National Security Adviser Anne Neuberger
White House Deputy National Security Adviser Anne Neuberger

VSA is available as a SaaS service or as an on-premises server. After more than a week of analysis and software hardening, Kaseya on July 11 restored its SaaS-based RMM service for MSPs, and also issued a patch for on-premises VSA customers. Among the details that remain unknown:

  • How many customer endpoints overall were encrypted? The hackers claimed to have hit 1 million endpoints, but the actual figure remains unclear.

Below is a timeline tracking the Kaseya VSA cyberattack, status updates, and business recovery tips for MSPs. Blog originally posted July 2, 2021. Updated regularly thereafter.

Note - Official Statements From Kaseya: Track this URL from Kaseya for official ongoing updates, patch and restore information from the company.

March 2022

September 21, 2021: FBI Withheld REvil Ransomware Decryptor Key

August 11, 2021: Decryption Key Leaks Online

  • The universal decryption key for REvil's attack on Kaseya's customers has been leaked on hacking forums allowing researchers their first glimpse of the mysterious key. Source: Bleeping Computer, August 11, 2021.

July 26, 2021: Kaseya Did Not Pay the Ransom

  • Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor key for the REvil Ransomware attack that struck on July 2, 2021, the MSP software company disclosed on July 26, 2021.

July 23, 2021: Decryptor Tool Requires Non-Disclosure

  • Customers have to sign a non-disclosure agreement (NDA) in order to receive the decryption key from the software company, CNN reports. The non-disclosure practice is not uncommon in the cyber market, but the NDA could make it more difficult to understand the overall attack and recovery, CNN notes.

July 22, 2021: Kaseya Obtained Universal Decryptor Key

  • Kaseya on July 21 obtained a decryptor for victims of the REvil ransomware attack, and the company is working to remediate customers impacted by the incident, the company disclosed on July 22. Kaseya did not say whether the company paid the REvil ransomware gang any type of extortion to obtain the key. Emsisoft has confirmed the key is effective at unlocking victims, Kaseya adds.

July 13, 2021: CISA Guidance; REvil Disappears; ConnectWise Re-Activates IT Glue Integration

1. CISA Guidance for Kaseya MSPs: The CISA (Cybersecurity and Information Security Agency) has issued this guidance for MSPs and customers that run Kaseya's VSA software.

2. REvil Disappears: Websites run by the ransomware gang REvil suddenly became unreachable, sparking widespread speculation that the group had been knocked offline perhaps by the U.S. government. Source: Reuters, July 13, 2021.

3. ConnectWise-IT Glue Integration: ConnectWise, as of 10:00 a.m. ET, has reactivated an integration with IT Glue -- an MSP documentation platform owned by Kaseya. ConnectWise reactivated the connection after receiving written assurances from Mandiant that IT Glue was not impacted by the VSA incident. Kaseya had hired Mandiant to investigate the VSA attack. ConnectWise also performed a risk assessment, and then reactivated the ConnectWise Manage and Automate integrations with IT Glue. When the VSA attack initially occurred, ConnectWise said it was disabling the IT Glue connection out of an abundance of caution.

July 12, 2021: Kaseya VSA SaaS Restore and On-Premises Patch Progress

  • After a July 6 delay, Kaseya's SaaS-based VSA platform began a re-activated with security enhancements on Sunday, July 11, 2021. The SaaS restore appears complete, though Kaseya did have some unplanned SaaS infrastructure maintenance during the restore day.

July 11, 2121: Kaseya VSA SaaS Restore and On-Premises Patch Begins

  • Kaseya remains on track to release the VSA On-Premises Patch and begin deployment to the VSA SaaS Infrastructure today (Sunday, July 11 at 4:00 PM EDT), the company said. Voccola disclosed the July 11 target in a video released on July 7. The fixes originally were scheduled to roll out on July 6, but Voccola halted the July 6 rollout in order to take additional security steps, he said on July 7.

July 10, 2021: Alleged Whistle Blowers

  • Kaseya executives allegedly were warned of critical security flaws in its software before the July 2021 ransomware attack, according to five former employees. Kaseya did not comment for the report. Source: Bloomberg, July 10, 2021.

July 8, 2021: ConnectWise-IT Glue Integration; Fake Email Warnings; Local Governments Hit

1. IT Glue Requests ConnectWise Re-Integration: IT Glue, a division of Kaseya, has published an open letter calling on ConnectWise to re-activate an integration with the IT Glue MSP documentation software platform. ConnectWise, as MSSP Alert reported on July 2 (see further below), turned off the integration out of an abundance of caution amid the Kaseya VSA cyberattack and associated SaaS-based VSA shut-down. Kaseya and IT Glue, meanwhile, say the cyberattack was limited to VSA and did not involve IT Glue.

2. ConnectWise Statement on IT Glue Integration: In a letter from ConnectWise CISO Tom Greco to partners, ConnectWise wrote:

Dear Partners,  

We have received some questions about when we will re-enable IT Glue/Kaseya integrations following the ransomware attack against Kaseya, which impacted some of our shared partners. Given the sophistication and scope of the attack, we temporarily disabled integrations between Kaseya platform products and ConnectWise. 

We will re-enable the IT Glue integration (and others) once we officially confirm that there is no vulnerability or threat through third-party validation or through our own due diligence to confirm there is no risk to our partners as it relates to this incident. If it is confirmed that there was in fact a compromise of anything on the Kaseya or IT Glue side that integrates with ConnectWise applications, cybercriminals could, in certain situations, potentially leverage that to possibly exfiltrate data or execute code remotely. We engaged with Kaseya to ensure our concerns are not only heard but addressed, and currently the third-party validation provided confirms VSA’s exposure but did not indicate any analysis had been done for IT Glue or other Kaseya solutions. We’ve requested this from Kaseya/IT Glue and we have also offered to help fund such an audit.

We apologize for the delay, but our top priority continues to be ensuring our partners and your clients are protected. Thank you for your patience as we work through the fallout from the Kaseya attack. We will continue to provide you with regular updates. In the meantime, you can find resources at https://www.connectwise.com/company/trust or https://www.connectwise.com/company/rapid-response.

Thank you for your partnership.  

Sincerely,  
Tom Greco
CISO, ConnectWise

3. Kaseya Fake Email Warning: Spammers are using the news about the Kaseya Incident to send out fake email notifications that appear to be Kaseya updates, the IT management software company says. However, the messages are phishing emails that may contain malicious links and/or attachments. Kaseya is warning recipients to not click on any links or download any attachments claiming to be a Kaseya advisory. Moving forward, Kaseya email updates will not contain any links or attachments, the software company says.

4. Kaseya Flaw - Six Years Old?: Kaseya’s customer service portal apparently was left vulnerable until early July 2021 to a data-leaking security flaw that was first identified in the same software back in July 2015. Source: KrebsOnSecurity, July 8, 2021.

5. Local Governments Impacted: Two small towns in Maryland -- namely, Leonardtown and North Beach -- appear to be the first local governments known to be hit by the REvil ransomware attack vs. Kaseya. Leonardtown gets its IT services from JustTech, an MSP in La Plata, Maryland. Source: StateScoop, July 8, 2021.

July 7, 2021: Kaseya VSA SaaS & On-Premises Recovery Delayed

1. Kaseya VSA Recovery Delayed: Kaseya's VSA SaaS restart began on July 6, but the company discovered an issue that has blocked the release. As a result, the SaaS restart of VSA has been delayed and won't restart until Sunday, July 11, 2021, around 4:00 p.m. ET, Voccola said in a July 7 video. In that video, Voccola said the delay is based on newly planned security enhancements rather than a restore issue. Voccola said the decision to delay the SaaS restart was entirely his.

2. Vulnerability Warning in April 2021: Kaseya was warned in early April 2021 about the vulnerability that caused the attack, according to the Dutch Institute for Vulnerability Disclosure (DIVD). Kaseya responded with urgency once it was notified of the vulnerabilities, but the company is still working to fully patch its VSA software. Source: The Wall Street Journal.

3. Attack Avoids Russian-Language Systems: The cyberattack used ransomware code "avoid systems that have default languages from what was the USSR region," Trustwave, a Top 250 MSSP, reports.

4. Virginia Tech Suffers Ransomware Attack: The cyberattack impacted roughly 600 computers at Virginia Tech, a Kaseya VSA customer. Source: Virginia Tech.

July 6, 2021: Kaseya VSA Cyberattack Updates

  • Kaseya expected its SaaS servers to be back online July 6 between 4:00 p.m. and 7:00 p.m. ET, but an issue popped up that delayed the restart.
  • Kaseya has developed a patch for on-premises customers, and expects the patch to be available within 24 hours (or less) after the company's SaaS servers have been brought up.  
  • The company's noon ET statement today also described additional security measures that are in place.
  • Synnex confirmed that hackers have targeted Synnex in an attempt to access customer applications within Microsoft's cloud, but the distributor seemed to indicate that this particular threat had been addressed, and Synnex seemed to distance itself from the Kaseya VSA attack. Source: Synnex.
  • Senior members of the Biden administration’s national security team plan to meet with senior members of the Kremlin following a supply-chain attack that delivered ransomware to as many as 1,500 entities via network management software firm Kaseya, according to White House Press Secretary Jen Psaki. Source: NextGov, July 6, 2021.

July 5, 2021 Updates

  • VSA is the only Kaseya product affected by the attack and all other IT Complete modules are not impacted, the company says.
  • The REvil Ransomware gang is demanding $70 million in Bitcoin for a tool that can decrypt all the affected systems, Bleeping Computer reports.
  • Kaseya CEO Fred Voccola spoke with U.S. Deputy National Security Advisor Anne Neuberger about the attack. Voccola told the White House that Kaseya wasn’t aware of any critical infrastructure that had been hit by the ransomware or of any victims related to national security, The Wall Street Journal reports.

July 4, 2021: Attack Reach, Victims

According to an Associated Press story:

  • Kaseya has hired FireEye Mandiant to investigate the attack.
  • Between 50 and 60 Kaseya customers were hit, Kaseya CEO Fred Voccola told the associated press.
  • The report did not mention how many MSP end-customers and end-points suffered ransomware attacks.
  • The attack spans victims in at least 17 countries -- including the United KingdomSouth AfricaCanadaArgentinaMexicoIndonesiaNew Zealand and Kenya, ESET reports.
  • The Swedish grocery chain Coop said most of its 800 stores would be closed for a second day Sunday because their cash register software supplier was crippled.
  • A Swedish pharmacy chain, gas station chain, the state railway and public broadcaster SVT were also hit.
  • Two big Dutch services companies — VelzArt and Hoppenbrouwer Techniek -- were hit.
  • Sources: The Associated Press, ESET.

July 4, 2021: Kaseya VSA Cyberattack Detection Tool

  • The White House confirmed that it has been working with the FBI, CISA and Kaseya to investigate the Kaseya cyberattack since July 2.
  • 2:06 p.m. ET: The CISA and FBI issued this guidance for MSPs and end-customers affected by the Kaseya VSA supply chain ransomware attack.
  • 9:05 a.m. ET: Kaseya introduced this VSA Detection Tool to help MSPs determined if their RMM software has been attacked/compromised. The tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present, the CISA notes.

July 2, 2021: Initial CISA and Kaseya Alerts to MSPs

The CISA (Cybersecurity and Infrastructure Security Agency) has issued an alert about the attack, stating that the agency is monitoring details about a "supply-chain ransomware attack against Kaseya VSA and the multiple managed service providers (MSPs) that employ VSA software."

Indeed, the REvil ransomware gang apparently injected code into VSA as part of a supply chain attack that now extends to MSPs and end-customers, Huntress tells MSSP Alert.

The initial July 2, 2021 alert from Kaseya states:

"We are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only as of 2:00 PM EDT today.

We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us.

Its critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA."

July 2, 2021: Kaseya Statement to MSSP Alert

In a followup statement from Kaseya to MSSP Alert at 4:11 p.m. ET, the company said:

 "We are in the process of investigating the root cause of the incident with the utmost vigilance, we have: (a.) Notified all of our on-premise customers to immediately shutdown their VSA servers and (b.) shut down our SaaS Servers.

We have been further notified by a few security firms of the issue and we are working closely with them as well. While we continue to investigate the incident, we will update our customers (and interested parties) as we have more information."

Kaseya is a major business management and IT automation software provider to MSPs. VSA is among the world's most popular software for MSPs that deliver RMM services.

July 2, 2021: Huntress Says REvil/Sodinikibi Ransomware May Be Involved

Huntress, an MDR (managed detection and response) service provider that supports MSPs, offered third-party perspective to MSSP Alert. According to John Hammond, a senior security researcher at Huntress:

  • "We were first notified at 12:35 ET today and it has been an all-hands-on-deck evolution to respond and make the community aware. The ransomware does have a digital signature. The Kaseya team has been very responsive with our threat intelligence."
  • "We cannot emphasize enough that we do not know how this is infiltrated in Kaseya's VSA. At the moment, no one does."
  • "We are aware of four MSPs where all of the clients are affected -- three in the U.S. and one abroad."
  • "MSPs with over thousands of endpoints are being hit."
  • "We have seen that when an MSP is compromised, we've seen proof that it has spread through the VSA into all the MSP's customers."
  • "Kaseya's VSA could be either on-premises or cloud hosted. They currently have all of their cloud servers offline for emergency maintenance."
  • "To the question 'does this indicate Kaseya is breached?': Right now, across the now half-dozen MSPs that we know are compromised -- the single commonality is Kaseya VSA."
  • "Based on everything we are seeing right now, we strongly believe this REvil/Sodinikibi."
  • "Currently We have three Huntress partners that are impacted with roughly 200 businesses encrypted."
  • "The legitimate Windows Defender executable was used to side-load a malicious DLL."

July 2, 2021: MSP Software Industry Responds

Major companies and upstarts across the MSP software industry are watching the situation closely.

ConnectWise, for instance, has temporarily disabled all on-premises and cloud Kaseya integrations into ConnectWise Manage as a precautionary step until more information about the alleged VSA attack is available. ConnectWise plans to provide an update soon on when it plans to re-enable this integration.

ConnectWise Manage is a PSA (professional services automation) software platform that thousands of MSPs use in tandem with Kaseya VSA.

Meanwhile, a backup and disaster recovery (BDR) company in the MSP market says multiple MSPs have reached out to the BDR firm for recovery help. Stay tuned for updates on that developing BDR story angle.

Kaseya Exploring Potential IPO, Financial Move

The cyberattack surfaces as Kaseya ramps up for a potential IPO or financial event. The software company is backed by private equity firms Insight Venture Partners and  TPG.

MSSP Alert first learned of the developing VSA story from The Cyber Nation. Stay tuned for potential updates to this story.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.