WHAT WE KNOW

IMPORTANT INFORMATION

  • If you happen to be an NSA/Datto client, you should not be impacted & continue to have your automated back-ups run as usual. Datto disconnected any Kaseya RMM links to their backup solutions to prevent even a remote possibility of an infection.

WHO DOES THIS IMPACT

  • ANY NSA OR TUG MEMBERS THAT MAY BE USING THE ON-PREMISE VERSION OF KASEYA’S REMOTE MONITORING SOLUTION, PLEASE TAKE NOTE OF A RECENT ATTACK ON KASEYA AND STEPS TO TAKE IF YOU’RE AFFECTED.

ACTIONS TO TAKE IMMEDIATELY

  • Kaseya urges customers to immediately shut down VSA server (Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chief)
  • Kaseya has developed a patch for customers running VSA on their own servers and should be available after SaaS servers are brought back online last night, Kaseya said in an update.
  • Kaseya also released a new, free comprise detection tool that customers can use to check networks and computers. The new version searches for indicators of compromise, data encryption, and the REVil ransom note. “We recommend that you re-run this procedure to better determine if the system was compromised by REvil,” Kaseya said. “A set of requirements will be posted prior to service restart to give our customers time to put these counter measures in place in anticipation of a return to service on July 6th.”

UPDATES FROM KASEYA:

“To date, we are aware of fewer than 60 Kaseya customers, all of whom were using the VSA on-premises product, who were directly compromised by this attack. While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been fewer than 1,500 downstream businesses. We have not found evidence that any of our SaaS customers were compromised.” Kaseya said in an update on the attack.

HOW DID THIS HAPPEN?

Thank you and please contact NSA with any questions!