Kaseya’s VSA SaaS restart fails, service restoration delayed by at least ten hours

CEO comes out swinging, says 'people make the story and make the impact of this larger than what it is'

Kaseya’s attempt to recover its SaaS services has failed, and its CEO has attempted to play down the significance of the incident that has seen its VSA services offline since July 2nd and over 1,000 ransomware infections.

The biz, which makes system monitoring and management software for IT service providers, issued an update at 10PM Eastern Daylight time (EDT) on July 6th that stated:

During the VSA SaaS deployment, an issue was discovered that has blocked the release. Unfortunately, the VSA SaaS rollout will not be completed in the previously communicated timeline.

The company had previously advised that SaaS restoration had commenced, with individual SaaS servers due to come online “throughout the night US time”. “All systems will be online and accessible by July 7th 6AM US EDT,” the advice stated.

Now the company says its next update will come at 8AM US EDT. It has offered no information on likely time of restoration or the nature of the issue that has slowed the SaaS rollout. Nor has Kaseya said if its promise to patch its on-premises VSA software within 24 hours of SaaS restoration remains in force.

The delay is a further embarrassment to the company, given that CEO Fred Voccola went on the record, in the video below, with his opinion that he expected SaaS restoration “in the coming hours” — although he added that the company is being “incredibly conservative about it”.

Youtube Video

The CEO comes out swinging in the video, saying “even the best defences get scored on” and mentioned that other vendors including direct rival ConnectWise have experienced similar troubles. Voccola also offered his opinion that Kaseya’s woes mean: “All of a sudden cyber crime and ransomware has become … the topic of the day and we're caught in the middle of it and people make the story and make the impact of this larger than what it is.”

A quick reminder: this cyber-attack has seen countless businesses going without IT management tools, with impacts including shuttered supermarkets, problems with schools, an estimated 1,000-plus ransomware infections, and a demand for a $70m payment in Bitcoin by the REvil ransomware gang. It really is quite a large impact.

It appears miscreants were able to exploit a vulnerability in on-prem deployments of Kaseya's IT management suite VSA to infect systems with the REvil ransomware. Kaseya urged people to disable their VSA servers to protect themselves, and it shut down its software-as-a-service offering of VSA, too.

The CEO also observed: “Unfortunately there are bad people out there who can make a lot of money or try to make a lot of money and get paid in anonymous currencies that are very difficult if not impossible to trace by the authorities, so there’s no money trail for them to go and get these criminals.”

Also in Voccola’s video, he appears to have changed Kaseya’s guidance on the number of infected on-premises deployments, as he mentions “50 customers or so” were infected. Kaseya’s previous guidance mentioned “fewer than 40” and “fewer than 60." The aforementioned 1,000-plus ransomware victims are the customers of those four-dozen or so Kaseya customers, infected via their VSA IT management installations.

Whenever Kaseya’s SaaS is restored, customers will have to check the network configurations they use, as one of the new security measures is a change to the IP addresses of the company’s SaaS servers.

“For almost all customers, this change will be transparent,” the 10PM advisory states. “However if, and only if, you have whitelisted your Kaseya VSA server in your firewall(s), you will need to update the IP whitelist.” The new addresses can be found here.

Voccola’s video also revealed that around 150 Kaseya staff “have probably slept a grand total of four hours in the last two days literally and that’ll continue until everything is as perfect as can be.” ®

Similar topics

Broader topics

Narrower topics

Other stories you might like

  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • Even Russia's Evil Corp now favors software-as-a-service
    Albeit to avoid US sanctions hitting it in the wallet

    The Russian-based Evil Corp is jumping from one malware strain to another in hopes of evading sanctions placed on it by the US government in 2019.

    You might be wondering why cyberextortionists in the Land of Putin give a bit flip about US sanctions: as we understand it, the sanctions mean anyone doing business with or handling transactions for gang will face the wrath of Uncle Sam. Evil Corp is therefore radioactive, few will want to interact with it, and the group has to shift its appearance and operations to keep its income flowing.

    As such, Evil Corp – which made its bones targeting the financial sector with the Dridex malware it developed – is now using off-the-shelf ransomware, most recently the LockBit ransomware-as-a-service, to cover its tracks and make it easier to get the ransoms they demand from victims paid, according to a report this week out of Mandiant.

    Continue reading
  • $6b mega contract electronics vendor Sanmina jumps into zero trust
    Company was an early adopter of Google Cloud, which led to a search for a new security architecture

    Matt Ramberg is the vice president of information security at Sanmina, a sprawling electronics manufacturer with close to 60 facilities in 20 countries on six continents and some 35,000 employees spread across the world.

    Like most enterprises, Sanmina, a big name in contract manufacturing, is also adapting to a new IT environment. The 42-year-old Fortune 500 company, with fiscal year 2021 revenue of more than $6.76 billion, was an early and enthusiastic adopter of the cloud, taking its first step into Google Cloud in 2009.

    With manufacturing sites around the globe, it also is seeing its technology demands stretch out to the edge.

    Continue reading
  • If you didn't store valuable data, ransomware would become impotent
    Start by pondering if customers could store their own info and provide access

    Column Sixteen years ago, British mathematician Clive Humby came up with the aphorism "data is the new oil".

    Rather than something that needed to be managed, Humby argued data could be prospected, mined, refined, productized, and on-sold – essentially the core activities of 21st century IT. Yet while data has become a source of endless bounty, its intrinsic value remains difficult to define.

    That's a problem, because what cannot be valued cannot be insured. A decade ago, insurers started looking at offering policies to insure data against loss. But in the absence of any methodology for valuing that data, the idea quickly landed in the "too hard" basket.

    Continue reading

Biting the hand that feeds IT © 1998–2022