Kaseya VSA is commonly used solutions by managed service providers to manage their clients which usually are SMB customers. On 7/2/2021, ~12 PM EST, an auto update in the product has delivered REvil ransomware. It means the managed service providers who have been infected are infecting their customers’ System.
Here is what we know so far.
Observation 1:
A sample shows the ransomware gang is asking for $5,000,000 to receive a decryptor.
Observation 2:
The ransomware changed registry to automatically login with the new account with password “DTrump4ever”
Observation 3:
C:\kworking\agent.exe is the one that triggers the encryption.
Here is the action you should take:
Kaseya Advisory:
Kaseya released advisory notes here.
Check if you have victims on your servers:
Automated script: Link
A list of IOCs: Link
Shutdown VSA servers
Automated script: Link