Kaseya restores SaaS monitoring service after REvil ransomware attack

Dive Brief:

Kaseya, a provider of remote monitoring and endpoint management, began to restore its VSA service Sunday following a ransomware attack by Russia-linked REvil on July 2.
Kaseya released a patch for its VSA on-premises customers and began deploying it to VSA SaaS customers on Sunday. As of Monday morning, 100% of Kaseya's SaaS customers were live and servers would be coming online for the rest of its customers within the next few hours, the company said.
Outside researchers validated the patch, and said a proof-of-concept exploit the company released on July 6, no longer works with the patch installed, according to Huntress. The attack vector is no longer present in the patched version of VSA, Huntress said.

Dive Insight:

Kaseya postponed restoration last week to add additional layers of security to protect the monitoring service against future cyber intrusions, CEO Fred Voccola said.

The ransomware attack has had far-reaching impacts, hitting around 60 of Kaseya's direct customers and about 1,500 downstream customers. Those organizations impacted are mostly small-to-medium-sized businesses that work with managed service providers using the Kaseya VSA service. Kaseya has about 36,000 customers globally.

"SaaS is up," Dana Liedholm, senior vice president, corporate marketing said via email Monday morning. "Any on-prem customers who feel ready can restore by installing the patch. As the business day begins we are working with more and more of those OP customers."

Kaseya posted detailed startup runbooks, release notes and best practices guides to help customers get their systems back up and running following the prolonged shutdown.

The combined measures taken by Kaseya to harden the system and to make it more resilient are a positive step, according to Forrester.

"That kind of support should be provided by any third-party hit with a ransomware attack," Allie Mellen, analyst, security and risk, at Forrester said via email. "It is also great news that they have issued this on-prem patch, however this does not mean every affected business is back up and running, as even the installation of the patch is a lengthy process and some organizations are still affected by the ransomware."

The company will need to operate with total transparency on the security efforts in order to maintain and rebuild trust with existing and new customers, Mellen said.

Kaseya has a series of new requirements designed to make the VSA system more resilient and secure in the face of continued threats. Users are required to update with a new password, which needs to run at least 16 characters and the company is requiring users to have multifactor authentication.

The recovery comes amid outside geopolitical pressure to curb the abilities of ransomware operators. President Joe Biden spoke to Russian President Vladimir Putin on Friday and warned the U.S. would take action to defend itself and its critical infrastructure from further attacks, according to senior administration officials. Biden hinted that one possibility could be to attack servers used in these attacks, however administration officials would not comment on any operational matters.

Because of the multitude of ransomware and supply chain attacks this year, the U.S remains vulnerable to attacks from malicious actors, according to Katell Thielemann, research VP at Gartner.

“And the truth is, there is no such thing as being protected,” Thielemann said. “The threat vectors are too numerous and ever changing, whether supply chain attacks, ransomware, data exfiltration or operational disturbance due to cyber-physical impacts.”