A massive ransomware attack by REvil has affected several managed service providers and over a thousand of their customers through a reported Kaseya supply chain attack, which was allegedly committed by the REvil ransomware gang alias Sodinokibi.<\/p>\n\n\n\n
Kaseya VSA is a cloud-based MSP platform that enables vendors to perform patch management and client monitoring for their customers.<\/p>\n\n\n\n
John Hammond of Huntress Labs mentioned that all affected MSPs use Kaseya VSA and that they have evidence that their customers are also encrypted.<\/p>\n\n\n\n
Kaseya has posted a security advisory on its helpdesk page warning all VSA customers to immediately shut down their VSA server to prevent the spread of the attack while investigations are ongoing.<\/p>\n\n\n\n
Most large-scale ransomware attacks are carried out late at night over the weekend when less staff are available to monitor the network.<\/p>\n\n\n\n
Threat actors probably planned the timing to coincide with the Fourth of July weekend in the U.S., where it is common for employees to have a shorter working day before the holidays.<\/p>\n\n\n\n
The ransomware gang demanded a ransom of $5 million in exchange for a decryptor from one of the samples.<\/p>\n\n\n\n
MSP customers affected by the attack received a significantly lower ransom of $44,999.<\/p>\n\n\n\n
Although REvil is known to steal data before the ransomware is deployed and devices are encrypted, it is not known whether the attackers have exfiltrated any files.<\/p>\n\n\n