A supply chain attack on Kaseya VSA has caused a mass ransomware event.

The attack began with a zero-day vulnerability on Kaseya VSA, a remote monitoring and management tool, which spread to managed service providers (MSPs) and some of their customers.

Kaseya, a US-based software company, issued its first warning about the incident on Friday afternoon local time saying it was “investigating a potential attack” which was “limited to a small number of our on-premises customers only”.

“Some of the functionality of a VSA Server is the deployment of software and automation of IT tasks,” Sophos said in a blog about the incident.

“As such, it has a high level of trust on customer devices.

“By infiltrating the VSA Server, any attached client will perform whatever task the VSA Server requests without question.”

By Friday night Kaseya had turned off its VSA cloud service while calling, emailing, and pushing in-app notifications to its customers begging them to switch off on-premises Kaseya VSA servers.

But, as one Reddit user said, “it was already too late”.

The potential extent of this attack is massive.

Huntress Labs spotted more than 30 MSPs around the world which were using Kaseya VSA and had unwittingly passed the ransomware onto over 1,000 businesses.

Other estimates, based on the Dutch Institute for Vulnerability Disclosure (DIVD) finding around 2,000 active VSA servers suggest perhaps as many as 200,000 organisations could be affected.

US President Joe Biden said the government was uncertain about who began the attack.

"The initial thinking was it was not the Russian government but we're not sure yet," he said.

It’s the second major supply chain attack to hit a US-based vendor in less than 12 months after it was discovered suspected Russian hackers used remote monitoring software from SolarWinds to infiltrate US government departments and large businesses.

Forced closure

Swedish supermarket chain Coop closed 500 stores because of the ransomware attack after the ransomware – delivered through one of Coop’s software providers – knocked its checkouts offline.

A spokesperson for Coop described how its systems were gradually infected.

“We first noticed problems in a small number of stores on Friday evening around 6:30pm so we closed those stores early,” they said.

“Then overnight we realised it was much bigger and we took the decision not to open most of our stores this morning so that our teams could work out how to fix it.”

The Australian Cyber Security Centre issued a 'High' alert for the attack and said it "has received reporting of this incident impacting Australian organisations" and was assisting local victims.

The attackers – which Crowdstrike identified as ‘Pinchy Spider’, an affiliate and distributor of REvil ransomware – spread their ransomware by first disguising it as a “Kaseya VSA Agent Hot-Fix” which used its high privileges to run a Powershell procedure disabling real time monitoring, intrusion protection, and other security features before sideloading the encryptor.

Kaseya has distributed a compromise detection tool to its customers to scan systems for indicators of compromise.

Pinchy Spider’s ransom note reportedly demanded MSP customers pay around $57,000 worth of the privacy cryptocurrency Monero to decrypt files, but negotiations shared by Bleeping Computer show the gang was asking that price per file and a full network decryption could cost more than US$500,000.

On Monday afternoon, the ransomware gang updated its dark web leak site taking responsibility for the attack and offering to sell a 'universal decryptor' for US$70 million in bitcoin which would allow all victims to decrypt their files in "less than an hour".

Ringing the alarm bells

The incident was nearly averted as researchers with the DIVD reported the critical vulnerability to Kaseya – which was preparing and testing a patch – just before Pinchy Spider/REvil launched its attack.

Victor Gevers, a researcher with the DIVD, tried to displace blame from Kaseya for being the springboard for this disruptive event.

“After this crisis, there will be the question of who is to blame. From our side, we would like to mention Kaseya has been very cooperative,” he said in a blog post.

“They showed a genuine commitment to do the right thing.

“Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”

Adam Meyers, senior VP of CrowdStrike Intelligence, described the Kaseya attack as “ominous”.

“The continued success of large software supply chain attacks provides an ominous outlook for organisations of all sizes as threat actors observe how profitable and wide ranging they can be,” he said.

“Organisations must understand that these headlines are no longer warnings but are a reality of what is in their future if they have not established a mature cybersecurity strategy.”

Update Tuesday July 6: This story has been updated to include information about the universal decryptor and more recent information from the Australian Cyber Security Centre.