11:20am, 12 July 2021
Kaseya management software being used to deploy ransomware
Updated at 11.00am on 12 July: Kaseya have released the update for on-premise servers, in addition to a Startup Runbook to ensure servers are restarted securely. They have also released a runbook for their Software as a Service offering, as they prepare to resume their cloud service.
Updated at 9.00am on 5 July: Kaseya has released a tool that users can run to check their VSA server for signs of compromise. This can be requested by emailing firstname.lastname@example.org with the subject line "Compromise Detection Tool Request"
Kaseya has confirmed that VSA servers will need a patch applied, and will provide further security advice that users should follow before restarting the VSA server.
Kaseya has reported that some of their customers using VSA remote management and monitoring software have had their devices encrypted by REvil ransomware.
Investigation is ongoing, however all Kaseya VSA users are urged to shut down their VSA instances until further notice.
Organisations using Kaseya VSA software to manage their IT infrastructure.
Any system managed by the VSA solution could be affected.
What this means
Any organisations with Kaseya VSA servers are at risk of REvil ransomware.
What to look for
How to tell if you're at risk
If your organisation uses Kaseya VSA management software.
How to tell if you're affected
Huntress Labs are investigating, and have provided indicators of compromise in a Reddit thread External Link , which they are continuing to update.
Sophos has also released a set of indicators of compromise. External Link
What to do
Updated 11.00am on 12 July: CERT NZ recommends that you follow the appropriate advice in the Startup Runbook External Link provided by Kaseya to resume the service, this includes the application of the security update.
Shut down Kaseya VSA servers until Kaseya issues instructions on how to safely restart them.
Kaseya security notice. External Link
Kaseya Startup Runbook. External Link
Huntress Labs Reddit thread. External Link
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at email@example.com or call the MBIE media team on 027 442 2141.