CITY OF WASHINGTON (July 5, 2021)—Since Friday, the United States Government has been working across the interagency to assess the Kaseya ransomware incident and assist in the response. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have been working with Kaseya and coordinating to conduct outreach to impacted victims. Yesterday, President Biden directed the full resources of the government to investigate this incident. We extend our thanks to the cybersecurity professionals across the FBI, CISA, and the intelligence community for working around the clock to respond to this incident.
We urge anyone who believes their systems have been compromised in the Kaseya ransomware incident to immediately report to the Internet Crime Complaint Center at https://www.IC3.gov. The FBI and CISA will reach out to identified victims to provide assistance based upon an assessment of national risk. We also urge you to immediately follow the guidance from Kaseya including shutting down your VSA servers and implementing CISA’s and FBI’s mitigation techniques.
Cybersecurity teams worked feverishly Sunday to stem the impact of the single biggest global ransomware attack on record, with some details emerging about how the Russia-linked gang responsible breached the company whose software was the conduit.
An affiliate of the notorious REvil gang, best known for extorting $11 million from the meat-processor JBS after a Memorial Day attack, infected thousands of victims in at least 17 countries on Friday, largely through firms that remotely manage IT infrastructure for multiple customers, cybersecurity researchers said. They reported ransom demands of up to $5 million.
The FBI said in a statement Sunday that it was investigating the attack along with the federal Cybersecurity and Infrastructure Security Agency, though “the scale of this incident may make it so that we are unable to respond to each victim individually.” Deputy National Security Advisor Anne Neuberger later issued a statement saying US President Joe Biden had “directed the full resources of the government to investigate this incident” and urged all who believed they were compromised to alert the FBI.
Upon learning of the attack, Kaseya says it immediately shut down its SaaS servers as a precautionary measure, and it notified its on-premises customers “via email, in-product notices, and phone” to shut down their on-premise VSA servers to prevent them from being compromised. Further, Kaseya also directed its on-premise customers to remain offline until the affected systems have been checked for its safety.
Kaseya also added that it is currently working with its internal forensic team and law enforcement agencies to investigate the attack.
“Only a very small percentage of our customers were affected – currently estimated at fewer than 40 worldwide,” Kaseya CEO Voccola said. “We expect to restore service to those customers once we have confirmed that they are not at risk, which we expect will be within the next 24-48 hours.”
In a follow-up update on Saturday morning, the company said it has been working around the clock on “a security assessment, client support, progress update, technical resolution, and return to operational status standpoint.”
Further, Kaseya said “We have been advised by our outside experts, that customers who experienced ransomware and receive a communication from the attackers should not click on any links - they may be weaponized.”
Kaseya said it will continue to post updates every 3-4 hours.
On Saturday evening, Kaseya reported that it has engaged with FireEye and other unidentified incident response firms to identify indicators of compromise related to its breach. “We have identified a set of preliminary IoCs and have been working with our affected customers to validate them,” Kaseya reports.
On Sunday morning, the firm announced initial results of the release of its new Compromise Detection Tool for Kaseya VSA customers.
“The new Compromise Detection Tool was rolled out last night to almost 900 customers who requested the tool,” Kaseya said. “Based on feedback from customers, we will be publishing an update to the tool this morning that improves its performance and usability. There are no changes that will require a re-run of the tool on systems that have been scanned.”
Additionally, Kaseya said: “We will be opening up a private download site for end customers to get access to the Compromise Detection Tool once we have ensured the security, integrity, and trackability of the download process.”
As of Saturday evening, Kaseya acknowledges only one new report of a compromise occurring because of a VSA on-premises server being left on. “We are confident we understand the scope of the issue and are partnering with each client to do everything possible to remediate,” Kaseya says. “We believe that there is zero related risk right now for any VSA client who is a SaaS customer or on-prem VSA customer who has their server off.”
Kaseya also says it is working both with the FBI and the U.S Cybersecurity and Infrastructure Security Agency on an incident-handling process for worldwide customers impacted by the cyberattack. The following message will be posted to the FBI website:
“If you feel your systems have been compromised as a result of the Kaseya ransomware incident, we encourage you to employ all recommended mitigations, follow Kaseya’s guidance to shut down your VSA servers immediately, and report your compromise to the FBI at https://www.IC3.gov. Due to the potential scale of this incident, we may be unable to respond to each victim individually but all information we receive will be useful in countering this threat.”
Source: Bank Info Securities, White House and AP News contributed to the article.