Kaseya VSA is commonly used solutions by managed service providers to manage their clients which usually are SMB customers. On 7/2/2021, ~12 PM EST, an auto update in the product has delivered REvil ransomware. It means the managed service providers who have been infected are infecting their customers’ System.
Here is what we know so far.
Observation 1:
A sample shows the ransomware gang is asking for $5,000,000 to receive a decryptor.
Observation 2:
The ransomware changed registry to automatically login with the new account with password “DTrump4ever”
Observation 3:
C:\kworking\agent.exe is the one that triggers the encryption.
We are pleased to announce that DTonomy is now part of Stellar Cyber. The integrated solution will enhance cyber threat detection and response automation!