I know that you are used to getting these on Wednesday night, but this is too important to wait.

The Russia-based REvil ransomware gang has executed yet another supply chain attack.

And the ransom demand is somewhat staggering at $70 million.

This time the attack is against a piece of software called VSA. It is a remote management software tool used by managed service providers. The software is owned by Kaseya, a company that goes around buying other software companies. That probably means that they have very little understanding what is inside the software that they own.

One more time, this attack spread through Kayesa’s update servers.

Over the weekend they told MSPs to TURN OFF any VSA servers that they own and not turn them on until they are both patched and validated as not infected. CISA has released a infection detection tool.

As a precaution, Kayesa also turned off their own cloud hosted servers.

Unfortunately, the word did not get out soon enough.

Lawrence Abrams of Bleeping Computer says that they know of at least 20 MSPs that are infected and 1,000 of their clients are also encrypted.

The problem is that there are probably many thousands more customers who could be infected. Small MSPs who don’t operate over the weekend and customers who don’t know that they have been infected by ransomware.

Already a Swedish supermarket chain has closed 500 stores due the the attack.

It is not a coincidence that Russia launched this attack over the July 4th holiday weekend when folks are off work, partying and possibly using a variety of mind altering substances.

So what do you do?

UNDERSTAND THAT THIS ATTACK COULD BE JUST THE START OF A BIGGER CAMPAIGN.

If you are an MSP, turn off those servers. If you do not have an internal 24×7 SOC, you need one. Small MSPs are the most at risk. If you need help, contact us.

Second, if you use an MSP, reach out to them. They have the keys to your kingdom. How much cyber insurance to they have? Are you an additional loss payee? What does your agreement say about their responsibilities? If you are in a regulated industry and a victim, you are likely required to notify your regulator. If you are not in a regulated industry, you should assume that if your data was encrypted, that it was stolen, which means that you have a cyber incident. Invoke your incident response plan. If you need help, again, contact us.

THIS PROBLEM IS NOT GOING AWAY. FOR COMPANIES THAT DO NOT HAVE A ROBUST VENDOR CYBER RISK MANAGEMENT PROGRAM, YOU MAY NEED TO USE YOUR OWN CYBER INSURANCE TO PAY TO CLEAN UP THE MESS. YOU WILL ALSO, LIKELY, HAVE TO INVOKE YOUR DISASTER RECOVERY AND BUSINESS CONTINUITY PROGRAMS.

Finally, if you are in a regulated industry, we are seeing regulators getting much more intense in their oversight. For one customer that we have been working with this week, last year their regulator had one finding after reviewing their cybersecurity program. This year they had more than a half dozen. If you are trying to build a robust cybersecurity program from a standstill, it is going to take a lot of horsepower to do that. Get started now.

Articles:

Bleeping Computer

Bleeping Computer – FBI and CISA Guidance on what to do for MSPs

Bleeping Computer – Kayesa was working on a fix at the time of the attack after having been informed of the bug by researchers.

Bleeping Computer – Swedish supermarket chain shuts down 500 stores after cash registers stop working

Cyber News – Ransom Demand