Rapid7 is aware of and tracking all information surrounding a coordinated, mass ransomware attack reported to be affecting hundreds of organizations. Huntress Labs is maintaining a public Reddit thread documenting the scope and triage of an event that has, so far, stemmed from 8 managed service providers.
Evidence points to a supply chain attack targeting Kaseya VSA patch management and monitoring software. Ransom notes suggest REvil is behind the coordinated attack.
Rapid7 Managed Detection and Response teams suggest that, out of an abundance of caution, organizations that use either an on-premise Kaseya VSA solution or the Kaseya cloud-based VSA solution perform the following steps immediately:
Disabling or uninstalling the Kaseya agent
If you host the Kaseya management server, shut down this system (Kaseya also strongly suggests this course of action)
Kaysea appears to be providing updates via their public helpdesk page and their status page provides visibility into the status of their hosted infrastructure.
Researcher @BushidoToken has provided a link to a GitHub gist containing the REvil configuration dump, which includes indicators of compromise organizations may be able to use to detect evidence of these actors operating in your infrastructure.
Rapid7 will update this post as more information becomes available.
Support the originator by clicking the read the rest link below.
