REvil is pushing ransomware via an update for Kaseya's IT management software, hitting hundreds of managed service providers with thousands of customers
A massive REvil ransomware attack affects multiple managed service providers and their clients through a reported Kaseya supply-chain attack.
BleepingComputer Lawrence Abrams
Related Coverage
- Biden announces investigation into international ransomware attack The Guardian
- View article DIVD CSIRT
- Massive Ransomware Attack May Impact Thousands of Victims Bloomberg · William Turton
- View article PCMag
- Hundreds of Businesses, From Sweden to U.S., Affected by Cyberattack New York Times · Kellen Browning
- Kaseya supply‑chain attack: What we know so far WeLiveSecurity
- View article SC Media
- View article Bloomberg
- Ransomware Group Behind Meat-Supply Attack Likely Hits Thousands of New Targets Wall Street Journal · Robert McMillan
- Rapid Response: Mass MSP Ransomware Incident Huntress Blog · John Hammond
- Hackers conduct one of the largest supply chain cyberattacks to date Engadget · Jon Fingas
- Updates Regarding VSA Security Incident Kaseya · Fred Voccola
- Massive ransomware attack potentially hit 1,000 businesses Livemint
- Kaseya Cyberattack: End Customers Ransomed, MSPs Spared CRN · Michael Novinson
- Ransomware attack on software manager hits 200 companies NBC News · Kevin Collier
- Kaseya VSA supply-chain ransomware attack hit hundreds of companies Security Affairs · Pierluigi Paganini
- Ransomware Attack Spreads to Hundreds of Companies Newser · Bob Cronin
- Hundreds Of US Companies Potentially Rocked By ‘Colossal’ Supply Chain Ransomware Attack HotHardware.com News · Nathan Ord
- IT management biz Kaseya pwned by miscreants to infect businesses with ransomware The Register · Iain Thomson
- Huge ransomware attack hits hundreds of US businesses TechSpot · Matthew Lee
- Kaseya Details REvil Attack, Incident Response Plan Security Boulevard · Michael Vizard
- Ransomware attack of 200 firms by group behind Apple extortion attempt AppleInsider · Malcolm Owen
- REvil ransomware group strikes again with attack on hundreds of companies right before long holiday weekend Insider · Matthew Fox
- REvil Ransomware targets 1000+ businesses causing holiday havoc HackRead · Sudais Asif
- Important Notice July 3rd, 2021 Kaseya · Fred Voccola
- IT Software Firm Kaseya Hit By Supply Chain Ransomware Attack SecurityWeek · Eduard Kovacs
- Kaseya VSA Supply-Chain Ransomware Attack CISA
- Supply chain attack on Kaseya infects hundreds with ransomware: What we know VentureBeat · Fahmida Y. Rashid
- Russia-linked hackers target IT supply chain with ransomware Financial Times · Hannah Murphy
- Hundreds of US companies hit by ‘colossal’ cyberattack before July 4th New York Post · Dana Kennedy
- Kaseya, a Software Provider, Investigates Potential Cyberattack New York Times · Kellen Browning
- A New Kind of Ransomware Tsunami Hits Hundreds of Companies Wired · Brian Barrett
- Kaseya Supply-Chain Attack Hits Nearly 40 Service Providers With REvil Ransomware The Hacker News · Ravie Lakshmanan
- A New Wave Of Ransomware Has Been Sparked By A Cyberattack On Tech Provider Kaseya Forbes · Martin Giles
- REvil Ransomware Hits 200 Companies In MSP Supply-Chain Attack Slashdot · BeauHD
- US companies hit by ‘colossal’ cyber-attack BBC
- A Large Ransomware Attack Has Ensnared Hundreds of Companies Gizmodo · Lucas Ropek
- Kaseya Case Update DIVD CSIRT · Lennaert Oudshoorn
- ‘Turn off your heart’: Kaseya VSA ransomware hits MSPs in a vital organ SC Media · Joe Uchill
- REvil's Latest Ransomware Campaign Affects More Than 200 Companies PCMag · Nathaniel Mott
- Kaseya VSA Supply-Chain Ransomware Attack Sophos Community
- July 4th Nightmare: Potential Cyberattack Targets Kaseya VSA, MSP Customers Channel Futures · Edward Gately
- Widespread ransomware attack likely hit ‘thousands’ of companies on eve of long weekend Washington Post
- mpsvc.dll — Ad-Aware Gen:Variant.Bulz.471680 ALYac Gen:Variant.Bulz.471680 Avast FileRepMetagen … VirusTotal
- Kaseya urges customers to immediately shut down VSA servers after ransomware attack ZDNet · Jonathan Greig
- Cyber attack on US businesses through Kaseya software to be investigated for Russia links ABC
- Russia-based hackers breach more than 1,000 businesses Axios
- Holiday-Weekend Ransomware Attack Leaves Companies Scrambling Voice of America
- Biden: ‘Initial thinking’ recent ransomware attack not by Russian government The Hill · Jordan Williams
- Ransomware breach at Florida IT firm hits 200 businesses Yahoo Finance
- The Week in Ransomware - July 2nd 2021 - MSPs under attack BleepingComputer · Lawrence Abrams
- Swedish Coop supermarkets shut due to US ransomware cyber-attack BBC · Joe Tidy
- Coop supermarket closes hundreds of stores after Kaseya supply chain ransomware attack Security Affairs · Pierluigi Paganini
- Cyber attack against U.S. IT provider forces Swedish chain to close 800 stores Reuters · Johan Ahlander
- Coop supermarket closes 500 stores after Kaseya ransomware attack BleepingComputer · Lawrence Abrams
- Kaseya VSA Ransomware Attack Hits Nearly 40 MSPs CRN · Michael Novinson
Discussion
-
reddit
reddit
on reddit
Crticial Ransomware Incident in Progress
-
@uscert_gov
Us-Cert
on x
.@CISAgov is taking action to understand and address the supply-chain #ransomware attack against Kaseya VSA and the multiple #MSPs that employ VSA software. Review the Kaseya advisory and immediately follow their guidance to shutdown VSA servers: https://helpdesk.kaseya.com/ ...
-
@kaseyacorp
@kaseyacorp
on x
Important Notice July 2, 2021 KASEYA VSA UPDATE - Latest update 11:00 PM EDT. Visit the Kaseya Help Desk for more information: https://helpdesk.kaseya.com/ ... https://twitter.com/...
-
@kevincollier
Kevin Collier
on x
New and developing: An enormous supply-chain ransomware attack, potentially the single largest criminal ransomware spree in history, is happening now at the start of the 4th of July weekend https://www.nbcnews.com/...
-
@c_c_krebs
Chris Krebs
on x
News Flash: cybercriminals are a$$holes. Keep all the Incident Response teams in mind this holiday weekend as they're in the thick of it...again. If you use Kaseya VSA, shut it down *now* until told to reactivate and initiate IR. Here's the binary: https://www.virustotal.com/... …
-
@gossithedog
Kevin Beaumont
on x
For anybody confused about how ~40 Kaseya customers being hacked caused so many problems - two are named here, both are managed service providers. REvil then propagates automatically to *their* customers. So the victims include non-Kaseya customers. https://www.bloomberg.com/...
-
@dinodaizovi
Dino A. Dai Zovi
on x
The software ecosystem is so complex that this will keep happening as long as customers buy products that have excessive privilege models like this. Are you outsourcing your security control plane? If so, why are you doing that? If the reason is “security,” maybe re-consider? htt…
-
@infosecsapper
@infosecsapper
on x
@timinbrum @Nedrick_NA @GossiTheDog Every MSP that escaped Solarwinds and Kaseya remembering third time's a charm... https://twitter.com/...
-
@uk_daniel_card
@uk_daniel_card
on x
its not everyday u get advised to SHUT DOWN all ur servers running a product... https://us-cert.cisa.gov/... I mean this is nicht fun ....
-
@anthonyrhook
@anthonyrhook
on x
This is not a small thing. https://www.reddit.com/... #kaseya #ransomware
-
@islivingston
Ian Livingston
on x
Things that aren't great https://twitter.com/...
-
@corymacd
@corymacd
on x
id like to pour one out for all the folks at MSPs using Kaseya. RIP your holiday weekend.
-
@infinitelogins
Harley
on x
“We currently have three Huntress partners who are impacted with roughly 200 businesses that have been encrypted. We are aware of at least 8 impacted MSP partners at this time.” I feel for all of my MSP friends right now. Bad day to be a Kaseya customer. https://www.reddit.com/..…
-
@viss
@viss
on x
i hope that the irony of a company who advertises ‘patch management’ being the victims of a massive ransomware attack which has spread to their customers is not lost on anyone. https://twitter.com/...
-
@sophos
@sophos
on x
Active Ransomware Attack on Kaseya Customers ⚠️ At this time Sophos is aware of an active industry-wide supply chain attack using Kaseya to deploy ransomware. We will add updates here with more information as it becomes available. ⬇️ https://community.sophos.com/ ...
-
@megaplanit
@megaplanit
on x
We are monitoring a Supply Chain attack outbreak utilizing REvil ransomware. At this time it appears to stem from a malicious Kaseya update. A malicious DLL containing the REvil Ransomware https://blog.megaplanit.com/ ... #cyberattacks #Ransomware #CyberSecurity
-
@orchidnyc
@orchidnyc
on x
This is major. Wire is calling it a ransomware tsunami that is hitting hundreds of companies at once. The attack is believed to be affiliated with REvil gang and ran through Kaseya. Kaseya controls programs for companies that manage internet services for businesses. https://twitt…
-
@shanvav
Shannon Vavra
on x
Kaseya has warned customers to shut down VSA servers “IMMEDIATELY.” DHS' @CISAgov is warning about the incident as well (link: https://us-cert.cisa.gov/... https://twitter.com/...
-
@kevincollier
Kevin Collier
on x
Updated after talking with the owner of a small MSP in California, serving a few hundred people: “There's not a lot of news coming down from Kaseya. We're all in a holding pattern, just hanging tight.” https://www.nbcnews.com/...
-
@propershadow
@propershadow
on x
@combat_penguin @TehStu @GossiTheDog This is the scary part. When you use Kaseya, you have 100% control over that system. We can see your desktop, browse your files, start and stop programs, etc. It's critical for our business to support our clients but it's also nightmare fuel.
-
@clearing_fog
ClearingTheFog
on x
🚨 Ransomware incident in progress. If you run a Kaseya VSA server, Kaseya is recommending that you shut it down right now, because the first thing that the attack does is take away your admin access. h/t @TeresaCCarter2 https://helpdesk.kaseya.com/ ...
-
@tonyajoriley
Tonya Riley
on x
Statement from Kaseya. Recommending customers shut down servers immediately. https://helpdesk.kaseya.com/ ...
-
@bitburner
@bitburner
on x
So far 8 MSPs running Kaseya VSA have been exploited. This particular RMM uses an on-premise box & apparently, that was popped & ransomware was distributed to MSPs clients. I'm guessing popped with “PrintNightmare” as it's been in the wild with no patch. https://helpdesk.kaseya.c…
-
@w7voa
Steve Herman
on x
Critical #ransomware attack reported to have hit 200+ companies. https://helpdesk.kaseya.com/ ...
-
@cybergovau
@cybergovau
on x
❗ Alert ❗Ransomware group REvil is exploiting vulnerable instances of Kaseya VSA globally. Immediately shutdown Kaseya server until further notice. Advice at: https://www.cyber.gov.au/... https://twitter.com/...
-
@alexstamos
Alex Stamos
on x
A note for @SenRickScott: now would be an excellent time for CISA to have a confirmed Director coordinating the USG response to yet another massive ransomware attack! https://us-cert.cisa.gov/...
-
@riskybusiness
Patrick Gray
on x
This is very bad. If you have access to someone's Kaseya server you've got every managed box in the environment. And this isn't light touch Russian collection, it's ransomware. A giant shitshow, this is. https://twitter.com/...
-
@gossithedog
Kevin Beaumont
on x
Microsoft should buy Sophos. https://community.sophos.com/ ...
-
@campuscodi
Catalin Cimpanu
on x
As pointed out here, by shutting down its own cloud infrastructure, Kaseya has kind of admitted that their backend infra got compromised and used in the attack. https://twitter.com/...
-
@brianhonan
@brianhonan
on x
If you are running Kaseya in your environment, or your MSP is, then you had better cancel your plans for the weekend https://twitter.com/...
-
@greypiperr
@greypiperr
on x
“Do we use any Kaseya products?” https://twitter.com/...
-
@davidderigiotis
David Derigiotis
on x
Timing is no coincidence- how many people are on vacation this Friday afternoon? Take note if you are a customer of Kaseya- supply chain ransomware attack https://twitter.com/...
-
@datadrivenmd
Jorge A. Caballero
on x
⚠️ “CISA encourages organizations to review the Kaseya advisory and immediately follow their guidance to shutdown VSA servers.” URL redirects to: https://helpdesk.kaseya.com/ ... https://twitter.com/...
-
@ffforward
@ffforward
on x
I wonder if that there is a coincidence that @CoopSverige (one of the biggest swedish supermarket chains) had to shut a lot of their stores early today due to their cash registers not working. Some googling suggest they use a MSP that uses #kaseya https://twitter.com/...
-
@markloman
@markloman
on x
We are monitoring a REvil ‘supply chain’ attack outbreak, which seems to stem from a malicious Kaseya update. REvil binary C:\Windows\mpsvc.dll is side-loaded into a legit Microsoft Defender copy, copied into C:\Windows\MsMpEng.exe to run the encryption from a legit process.
-
@kylehanslovan
Kyle Hanslovan
on x
Here's a partner provided screenshot from an impacted Kaseya VSA Server. Nothing worse for threat hunters than seeing an “Archive and Purge Logs” procedure 🙄 https://twitter.com/...
-
@gossithedog
Kevin Beaumont
on x
I've done a quick update about the Kaseya ransomware situation, focusing on the situation in Sweden. It's pretty extraordinary and only scratches the surface on impact. https://doublepulsar.com/... https://twitter.com/...
-
@zackwhittaker
Zack Whittaker
on x
John Hammond, senior security researcher at Huntress Labs, on the Kaseya breach: ~200 companies that use Kaseya's tech had their networks encrypted by REvil (think of this as SolarWinds but with ransomware). “This is a colossal and devastating supply chain attack.” https://twitte…
-
@gossithedog
Kevin Beaumont
on x
Supply chain attack of Kaseya, commonly used in managed service provider environments in the United States, leading to mass ransomware event. Details in link and thread as they develop: https://doublepulsar.com/...
-
@juliadavisnews
Julia Davis
on x
A Massive Ransomware Attack Has Hit More Than 1,000 Companies. The hackers were identified as the Russia-linked ransomware group REvil, which was accused last month of hacking giant meatpacker JBS SA. https://www.bloomberg.com/...
-
@nicoleperlroth
Nicole Perlroth
on x
As it turns out, the “zero day” used to breach Kesaya wasn't a zero day. Dutch researchers tipped the company off to the issue, but Kesaya still hadn't rolled out a patch when REvil used it for its ransomware spree. https://twitter.com/...
-
@jenniferjjacobs
Jennifer Jacobs
on x
NEWS: “We're not sure it was the Russians,” Biden in Michigan, tells me when I asked about the latest cyber attack on US businesses. https://twitter.com/...
-
@a_tweeter_user
@a_tweeter_user
on x
Re: Kaseya Hashes of “cert.exe” will vary by host. Take a closer look at the provided command line arguments (Source: https://community.sophos.com/ ... Note: ➖ copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe Entropy -> hash vari…
-
@williamturton
William Turton
on x
SCOOP: Two of the managed service providers hit by Russian hacking group Revil are Synnex Corp. and Avtex LLC. W/ @JenniferJJacobs @KartikayM https://www.bloomberg.com/...
-
@axios
@axios
on x
“The initial thinking was it was not the Russian government but we're not sure yet,” President Biden said today. https://www.axios.com/...
-
@sub8u
Subrahmanyam Kvj
on x
1,000+ companies impacted by a new ransomware supply chain attack. If cybersecurity is not on your CEO and board's top priorities and you are not proactively investing, you are a sitting duck! https://www.bleepingcomputer.com/ ...
-
@jenniferjjacobs
Jennifer Jacobs
on x
BREAKING: “We're not sure it's the Russians. I got a brief on the plane. That's why I was late getting off” AF1 upon landing in Michigan, Biden tells me. “I directed the intelligence community to give me a deep dive on what's happened, and I'll know better tomorrow,” he said. htt…
-
@wsj
@wsj
on x
The ransomware group behind the hack of meatpacker JBS has begun an attack that may have infected as many as 40,000 computers world-wide, cybersecurity experts say https://www.wsj.com/...
-
@timobrien
Tim O'Brien
on x
Just weeks after Biden implored Putin to curb cyber crime, a notorious, Russia-linked ransomware gang — REvil - has been accused of pulling off an audacious attack on the global software supply chain. There are victims in 17 countries so far. https://www.bloomberg.com/...
-
@nicoleperlroth
Nicole Perlroth
on x
This marks a serious escalation just weeks after Putin-Biden summit on ransomware. Not only is this a supply chain attack on MSPs; they broke in via a zero day, a significant advance for REVil which has traditionally compromised victims through usual means of phishing, etc. https…
-
@business
@business
on x
A massive ransomware attack on the software supply chain has impacted more than 1,000 businesses so far, and the number may continue to grow https://www.bloomberg.com/...
-
@gossithedog
Kevin Beaumont
on x
For those who haven't caught it - one of the orgs caught up in the Kaseya situation is government owned. 😅 Extraordinary stuff. https://twitter.com/...
-
@dimartinobooth
Danielle DiMartino Booth
on x
Trickle down ransomware attack from criminals to medium and small businesses. Will U.S. authorities ever get the memo? There's a rumor we've got the best IT minds in the world. Perhaps give the best of the best a ring? https://www.bloomberg.com/...
-
@biannagolodryga
Bianna Golodryga
on x
“The hackers were identified as the Russia-linked ransomware group REvil, which was accused last month of hacking giant meatpacker JBS SA.” 11 countries were (so far) impacted. Wanna bet Russia wasn't one of them? https://www.bloomberg.com/...
-
@margbrennan
Margaret Brennan
on x
About that POTUS-Putin chat in Geneva.... https://twitter.com/...
-
@_johnhammond
John Hammond
on x
Kaseya has shared an update and is claiming >40 affected MSPs. We can only comment on what we've observed personally, which has been around 20 MSPs who support over 1,000 small businesses, but that number is expanding quickly. https://www.kaseya.com/...
-
@dalperovitch
Dmitri Alperovitch
on x
This is without a doubt going to turn out to be the biggest most destructive ransomware campaign that we've seen so far (NotPetya doesn't count as it wasn't real ransomware) https://twitter.com/...
-
@kevincollier
Kevin Collier
on x
Updated this morn after talking with Teamsters Local 2010, one the many orgs locked up by this. Kaseya now says nearly 40 MSPs were hit. Each of those has dozens, hundreds, perhaps thousands of victim customers. Can't imagine what the final count will be. https://www.nbcnews.com/…
-
@robertmlee
Robert M. Lee
on x
Good thread on the Kaseya ransomware event. Also - thinking about all the security staff and incident responders who just had their weekend ruined, if we can't stop criminals it'd be nice to at least have some norms around weekends and holidays. https://twitter.com/...
-
@bdsams
Brad Sams
on x
This is bad...real bad, if you know what Kaseya is, good luck and I hope your environment is ok https://twitter.com/...
-
@pwnallthethings
@pwnallthethings
on x
So if you want a spicy take, although the direct impact of this is relatively small /so far/, its strategic impact dwarfs everything else in cybersecurity this year by a margin including Exchange hack, Colonial pipeline hack, and maybe even SolarWinds. https://twitter.com/...
-
@gossithedog
Kevin Beaumont
on x
One thing I'd recommend when vendors recommend/require antivirus exclusions - ignore them. Just pretend you've done them, they won't realise the difference. That's what I did at Crabbers, our Sophos exclusions list was actually empty. https://doublepulsar.com/... https://twitter.…
-
@campuscodi
Catalin Cimpanu
on x
Kaseya update: The company is bringing its SaaS platform back online, as it was not affected by yesterday's incident. https://helpdesk.kaseya.com/ ... https://twitter.com/...
-
@gossithedog
Kevin Beaumont
on x
I have updated on how the situation with Kaseya and MSP customers being ransomware'd unfolded - a zero day vulnerability. https://doublepulsar.com/... https://twitter.com/...
-
@campuscodi
Catalin Cimpanu
on x
Sophos confirmed the incident a few hours later: https://twitter.com/...
-
@gossithedog
Kevin Beaumont
on x
Added statement from Kaseya on the ransomware event unfolding with their customers. https://doublepulsar.com/... https://twitter.com/...
-
@randahabib
Randa Habib
on x
President Joe Biden said he has directed U.S. intelligence agencies to investigate who was behind a sophisticated ransomware attack that hit hundreds of American businesses and led to suspicions of Russian gang involvement. https://www.reuters.com/...
-
@gossithedog
Kevin Beaumont
on x
Coop in Sweden have shut down 800 stores as they used an MSP on point of sale devices, who used Kaseya, so now they have REvil ransomware. Nightmare fuel. Should be a wake up call for governments, insurance, businesses etc. https://twitter.com/...
-
@janlemnitzer
Jan Lemnitzer
on x
First time I have seen an EU politician say on the record that the escalating ransomware impact is not only tolerated by Russia but serves its strategic goals of destabilizing the West. https://twitter.com/...
-
@bgroothuis
Bart Groothuis
on x
This is the ransomware nightmare any company or government can expect to happen. This is what we are working on in Brussels to prevent, in the new cyber security legislation #NIS2. But we need to be aware this is also a Russian foreign policy objective #safehaven @eu_eeas https:/…
-
@ciaranmartinoxf
Ciaran Martin
on x
Extraordinary: ransomware attack on American company disrupts 20% of Swedish food retail capacity, pharmacies, train ticket sales & they're not even direct customers https://twitter.com/...
-
@campuscodi
Catalin Cimpanu
on x
Supermarket chain Coop closes 800 stores across Sweden in the Kaseya ransomware fallout https://therecord.media/... https://twitter.com/...