Kaseya cyber attack estimated to have impacted 'well over' 1,000 businesses worldwide
Ransomware group REvil claimed responsibility for the cyber attack, which targeted Kaseya's VSA software
Over 1,000 businesses and at least 30 MSPs are estimated to have been hit by a cyberattack which targeted IT management software provider Kaseya on Friday.
The Russian-speaking REvil ransomware group, which the FBI said was behind the recent attack on meat processing company JBS, claimed responsibility and said more than a million systems were infected.
In a post on its dark web site, it demanded $70m in Bitcoin for it to release a "universal decryptor" for those impacted.
"Kaseya's VSA product has unfortunately been the victim of a sophisticated cyberattack," Kaseya said in a statement.
"Due to our teams' fast response, we believe that this has been localised to a very small number of on-premises customers only."
Not long after the attack, Kaseya said it had "identified the source of the vulnerability" and has now moved on "from root cause analysis and mitigating the vulnerability" to beginning the execution of its "service recovery plan".
But the firm is continuing to advise that all on-premise VSA servers should be switched off and continues to keep its SaaS servers offline as a precaution, despite claiming that on-prem customers were the only ones to be hit.
It had hoped to bring its SaaS offering back online soon after the attack, but in an update yesterday said it had decided that "more time was needed" before bringing its datacentres back online, adding that it hoped they would be back up by the end of 5 July local time (UTC).
The schedule for getting on-prem customers back online will be published once the SaaS restoration progress has begun, the company added, and has also released a new compromise detection tool for its customers to download.
Kaseya's VSA software is used by channel partners to help them monitor their customers' networks. Cybersecurity firm Huntress, which has been investigating the attack, said it was used "to encrypt well over 1,000 businesses", adding that it has "high confidence that an authentication bypass was used to gain access into these servers".
It's unclear how many UK-based MSPs, resellers and business have been impacted, but Swedish supermarket group Coop was forced to close more than half its stores after falling victim.
In a statement the National Cyber Security Centre said: "We are aware of a cyber incident involving Kaseya, and we are investigating its impact on the UK.
"Ransomware is a growing, global cyber threat, and all organisations should take immediate steps to limit risk and follow our advice on how to put in place robust defences to protect their networks."
Dutch researcher DIVD claimed in a post on its website that it had "previously identified a number of the zero-day vulnerabilities which are currently being used in the ransomware attacks" to Kaseya.
It said that Kaseya had been "very cooperative" once it was aware of the highlighted vulnerabilities and showed a "genuine commitment to do the right thing" but was "beaten by REvil in the final sprint" as it looked to issue a fix.
Kaseya is expected to release another update later today.