Kaseya RMM Spreads Ransomware

3rd July 2021 | Blog

Kaseya RMM Tool Used to Spread Ransomware

Update and Correction – 3:30pm 7/3/21: CyberHoot has confirmed from Kaseya and other cybersecurity news sources that Webroot was not and is not a risk from this Kaseya ransomware event. Only Kaseya is impacted both in their cloud and their on-premises VSA RMM software solution. Details from Kaseya are found here (1:30 pm 7/3/2021 update). Kaseya is reporting 40 impacted customers (all MSPS), the Washington Post alleges that those MSPs may be supporting hundreds to thousands of SMBs who may all be impacted. Source: Washington Post article.

CyberHoot will continue to monitor this situation and update this article as additional facts come to light.

~~~~~~~~~~~~~~~~~~~~~~~~July 2nd, 2021: CyberHoot received notification of a critical breach of businesses today through the 3rd largest Remote Monitoring and Management (RMM) vendor Kaseya. While it remains unclear how hackers breached Kaseya’s solution, what is clear is that at least 8 MSPs and 200 clients are dealing with a ransomware attack. Kaseya support has asked all clients to shut down their local VSA management consoles after having shut down their cloud environment earlier today. Early indications are that remote access, combined with stolen credentials, and administrative privileges have enabled hackers to carry out this ransomware attack. It has been reported on Reddit and other sites (unsubstantiated), that hackers used both Kaseya and/or Webroot to execute Sodinokibi ransomware through PowerShell scripting. CyberHoot will continue to monitor this situation and provide updates to this article.

What To Do

If you’re a Kaseya client, per their Client Advisory, you must shut down your VSA Server immediately and until further notice. Continue to Monitor Kaseya’s advisory page for further instructions on recovery.