A massive REvil ransomware attack affects multiple managed service providers and their clients through a Kaseya supply-chain attack.
The REvil ransomware gang, aka Sodinokibi, targeted MSPs with thousands of customers, through what appears to be a Kaseya VSA supply-chain attack. There are at least eight known large MSPs that have been hit in this supply-chain attack.
Kaseya VSA is a cloud-based MSP platform that allows providers to perform patch management and client monitoring for their customers.
According to Huntress Labs’ John Hammond, all of the affected MSPs are using Kaseya VSA and their customers are being encrypted as well. There are 3 Huntress partners that are impacted with roughly 200 businesses encrypted.
Kaseya is currently in the process of investigating the cause of the incident and had issued a security advisory on their help desk site, warning all VSA customers to immediately shut down their VSA server to prevent the attack’s spread.
Kaseya has shut down their SaaS servers and are working with other security firms to investigate the incident.
It is found that a sample of the REvil ransomware was used in one of these attacks. But is is not known if this is the sample used for every victim or if each MSP received its own ransom demand.
The ransomware gang is demanding a ransom of $5,000,000 to receive a decryptor from one of the samples.
According to Emsisoft CTO Fabian Wosar, MSP customers who were impacted by the ransomware attack received a much smaller $50,000 ransom demand.
MSPs are a high-profit target for ransomware gangs because they provide an easy channel to infect many companies through a single breach.
REvil ransomware gang usually steal data before deploying the ransomware and encrypting devices, so it is unknown if the attackers exfiltrated any files.