Kaseya management software being used to deploy ransomware

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

11:20am, 12 July 2021

TLP Rating: Clear

Kaseya management software being used to deploy ransomware

Updated at 11.00am on 12 July: Kaseya have released the update for on-premise servers, in addition to a Startup Runbook to ensure servers are restarted securely. They have also released a runbook for their Software as a Service offering, as they prepare to resume their cloud service.

Updated at 9.00am on 5 July: Kaseya has released a tool that users can run to check their VSA server for signs of compromise. This can be requested by emailing support@kaseya.com with the subject line "Compromise Detection Tool Request"

---

Kaseya has confirmed that VSA servers will need a patch applied, and will provide further security advice that users should follow before restarting the VSA server.

Kaseya has reported that some of their customers using VSA remote management and monitoring software have had their devices encrypted by REvil ransomware.

Investigation is ongoing, however all Kaseya VSA users are urged to shut down their VSA instances until further notice.

What's happening

Systems affected

Organisations using Kaseya VSA software to manage their IT infrastructure.

Any system managed by the VSA solution could be affected.

 

What this means

Any organisations with Kaseya VSA servers are at risk of REvil ransomware.

What to look for

How to tell if you're at risk

If your organisation uses Kaseya VSA management software. 

 

How to tell if you're affected

Huntress Labs are investigating, and have provided indicators of compromise in a Reddit thread External Link , which they are continuing to update.

Sophos has also released a set of indicators of compromise. External Link

What to do

Prevention

Updated 11.00am on 12 July: CERT NZ recommends that you follow the appropriate advice in the Startup Runbook External Link provided by Kaseya to resume the service, this includes the application of the security update.

Mitigation

Shut down Kaseya VSA servers until Kaseya issues instructions on how to safely restart them.

More information

Kaseya security notice. External Link

Kaseya Startup Runbook. External Link

Huntress Labs Reddit thread. External Link

Sophos Blog. External Link

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ

For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384