The supply chain attack has reached over a thousand organizations.
Three days after ransomware attackers started the holiday weekend by compromising Kaseya VSA, we have a clearer idea of how widespread the impact has been. In a new ransom demand, the attackers claim to have compromised more than 1 million computers, and demand $70 million to decrypt the affected devices.
Kaseya’s software is used by Managed Service Providers to perform IT tasks remotely, but on July 2nd, the Russia-linked REvil ransomware group deployed a malicious software update exposing providers who use the platform, and their clients.
The Dutch Institute for Vulnerability Disclosure (DIVD) revealed that it appears the exploit used for the breach was same one they discovered and were in the process of addressing when the attackers struck. “We were already running a broad investigation into backup and system administration tooling and their vulnerabilities,” DIVD wrote. “One of the products we have been investigating is Kaseya VSA. We discovered severe vulnerabilities in Kaseya VSA and reported them to Kaseya, with whom we have been in regular contact since then.”
On Friday, Kaseya CEO Fred Vocolla said that “Only a very small percentage of our customers were affected – currently estimated at fewer than 40 worldwide.” Sophos VP Ross McKerchar said in a statement Sunday that “This is one of the farthest reaching criminal ransomware attacks that Sophos has ever seen. At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company.”