Two hundred companies infected with ransomware via managed service provider

At least two hundred companies were infected with ransomware in a major ransomware attack through their managed service provider (MSP). The attackers demand millions of dollars from affected companies to decrypt their files.

The attack appears to have been carried out through a rogue update to Kaseya VSA, Mark Loman of antivirus company Sophos said on Twitter. Managed service providers use the software to remotely manage their customers' systems. For example, for installing updates and solving problems.

Kaseya calls on MSPs to shut down their VSA servers. The company itself has disabled its own SaaS servers as a precaution. The National Cyber ​​Security Center (NCSC) advises customers of MSPs who use VSA agents to contact their managed service provider for further instructions. The exact cause is not yet known, but research shows that the attackers immediately stop the administrator's access to VSA.

According to Kaseya, less than 40 customers using VSA servers are currently known to be affected. However, a managed service provider may have dozens or hundreds of customers of its own. Security company Huntress reports on Reddit that it knows of three MSPs that together have at least 200 companies as customers whose systems are encrypted.

The attack is said to have been carried out by the group behind the REvil ransomware, which was previously behind the attack on meat processor JBS. JBS paid the attackers a ransom of $11 million. The now-observed attack demands ransoms of up to $5 million.

This is not the first time that criminals have infected companies with ransomware through managed service providers. Several such attacks occurred in 2019. For example, systems at 100 American dental practices were encrypted.

Previous Post Next Post