Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

REvil ransomware attack against Kaseya VSA

    • Updated:
    • 15 Jul 2021
    • Product/Version:
    • TXOne - StellarEnforce
    • TXOne - StellarProtect
    • Worry-Free Business Security Services
    • Platform:
Summary

On July 2, 2021 2:00 PM EDT, Kaseya has made an important announcement about a potential attack against the Kaseya VSA. Immediately shutting down of the VSA server is recommended until further notice. 

From the advisory of Kaseya:

We are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only as of 2:00 PM EDT today.

We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us.

It’s critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA.

Trend Micro encourages you to review the Advisory and immediately follow their guidance to shutdown VSA servers.

Details
Public

CHECKLIST

For Worry-Free Business Security Services (WFBS-SVC) customers, please follow the Worry-Free Security Services Checklist to protect the network from REvil Ransomware. Please contact Trend Micro support for any assistance needed in configuring your protections from this threat.

Trend Micro customers who run specialized system like POS terminals running at times on legacy OS such as Windows Embedded XP very often cannot run real time AV/AM scanners equipped with the latest detection techniques, for such customers Txone Stellar Enforce and Portect software agent which can be installed on legacy OS systems and provide adequate protection against of the different type of Ransomware attacks including REvil.

Please contact Trend Micro Technical Support for any assistance needed in configuring your protections from this threat.

PROACTIVE IOC ASSESSMENT

For Worry-Free XDR or Worry-Free EDR customers, please use the following Indicators of Compromise below to initiate a proactive IOC Assessment across your network and take necessary mitigation actions.

For MSP partners, you can perform the IOC Assessment across Worry-Free XDR and Worry-Free EDR customers from your Remote Manager console – Instructions.

INDICATORTYPE
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759ddSHA-256
2093c195b6c1fd6ab9e1110c13096c5fe130b75a84a27748007ae52d9e951643SHA-256
d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1eSHA-256
e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2SHA-256

For TxOne Stellar customers, please use the following indicators (User-Defined Suspicious Objects).

User-Defined Suspicious Objects (UDSO)TYPE
e1d689bf92ff338752b8ae5a2e8d75586ad2b67bSHA-1
656c4d285ea518d90c1b669b79af475db31e30b1SHA-1
5162f14d75e96edb914d1756349d6e11583db0b0SHA-1
Premium
Internal
Partner
Rating:
Category:
Solution Id:
000286890
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.