Kaseya, a company that provides IT management software to managed service providers (MSPs) and IT companies, has been hit with a REvil (aka Sodinokibi) ransomware attack at the dawn of the Fourth of July weekend, as reported in the company’s own announcement.
The company describes it as a “sophisticated cyberattack” that was geared toward its on-premises VSA product. The company advised all its customers to shut down their on-premises VSA servers until further notice.
Kaseya has decided to also immediately shut down its software-as-a-service (SaaS) servers as a conservative security measure while investigations are ongoing.
The VSA software, which is typically used to distribute software updates to customers, was weaponized to push a malicious PowerShell script, which then loaded the REvil ransomware payload onto customer systems. It’s also important to note that non-Kaseya customers could also be affected via their service providers.
|DETECTION/POLICY/RULES||PATTERN BRANCH/VERSION||RELEASE DATE|
Predictive Machine Learning
|PATTERN BRANCH/VERSION||RELEASE DATE|
|hxxp[:]//aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd[.]onion/||Malware Accomplice, Ransomware||07-03-2021|
Solution Map - What should customers do?
To update Trend Micro products, visit Online Help Center.
Make sure to always use the latest pattern available to detect the old and new variants of REvil/Sodinokibi Ransomware. Please refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.
Make sure to implement the ransomware protection features and best practices. Please refer to the KB article on Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products.
You may also check the article on Submitting suspicious or undetected virus for file analysis to Technical Support.
For support assistance, please contact Trend Micro Technical Support.
- Threat Encyclopedia: Trojan.Win32.SODINSTALL.YABGC
- Threat Encyclopedia: Ransom.Win32.SODINOKIBI.YABGC