Kaseya VSA is commonly used solutions by managed service providers to manage their clients which usually are SMB customers. On 7/2/2021, ~12 PM EST, an auto update in the product has delivered REvil ransomware. It means the managed service providers who have been infected are infecting their customers’ System.  

Here is what we know so far.

Observation 1:

A sample shows the ransomware gang is asking for $5,000,000 to receive a decryptor.

                       

Observation 2:

The ransomware changed registry to automatically login with the new account with password “DTrump4ever”

 

Observation 3:

C:\kworking\agent.exe is the one that triggers the encryption.

 

Here is the action you should take:

Kaseya Advisory:

Kaseya released advisory notes here

 

Check if you have victims on your servers:

 Automated script: Link 

A list of IOCs: Link

 

Shutdown VSA servers

Automated script:  Link

We are pleased to announce that DTonomy is now part of Stellar Cyber. The integrated solution will enhance cyber threat detection and response automation!

X