Kaseya hack affects 1,500 companies worldwide

Sicherheit (Pexels, allgemeine Nutzung)[German]The supply chain attack on Kaseya VSA affects approximately 1,500 companies worldwide, according to the manufacturer. This is according to a status update dated July 5, 2021. Meanwhile, the REvil group is demanding around $70 million in ransom to release the master key to decrypt the systems. Here is an overview of the latest developments.


Yesterday I reported in my German blog post about the Kaseya VSA supply chain attack and the Coop Sweden case, that the REvil ransomware group is claiming 1 million infected systems for this attack. The group is demanding around US$70 million ransom to release the master key to decrypt the systems. Sounds gigantic, but it seems that lower sums, such as US$50 million, have also been on the table.  Now we have more details.

Kaseya status update from July 5

In a status update dated July 5, 2021, Kaseya states that the company is aware of fewer than 60 Kaseya customers using the VSA on-premises product who were directly affected by this attack. This likely refers to managed service providers, MSPs, who provide IT services to several other companies. This triples the number of Kaseya customers affected, as the original number was 20.

Reading Kaseya's announcement, the figure of 1 million infected systems claimed by REvil seems far-fetched. Although many of Kaseya's VSA customers provide IT services to several other companies, Kaseya reports that less than 1,500 companies have been affected.  The vendor writes that it has found no evidence that any of its SaaS customers have been compromised. And as of Saturday, July 3, Kaseya has received no new reports of compromises at VSA customers. VSA is the only Kaseya product affected by the attack; all of the vendor's other IT solutions (referred to as Complete modules) are unaffected.

Tweet about Kaseya

On Twitter, I came across the above tweet hat informs that Kaseya has released two PowerShell scripts that can be used to identify the compromised or vulnerable machines. What's disturbing is that the scripts are on a website that has nothing to do with Kaseya. And you have to log in to get to the scripts. Possibly someone copied them from Kaseya and put them there. On the Kaseya website I could not found anything similar.

Similar articles:
REvil Ransomware attack at 200 Companies via Kaseya VSA and Management Service Provider (MSP)
Coop-Sweden closes 800 stores after Kaseya VSA supply chain attack by REvil gang


Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *