Kaseya releases security patch as companies continue to recover

Kaseya, provider of remote management and monitoring software, released a patch on July 11 to fix a vulnerability in its server that the Russia-linked REvil group exploited nine days earlier to launch a ransomware attack against managed service providers and their clients.

While 95% of its cloud-based customers have been returned to service, the attack continues to affect Kaseya customers and clients. Some companies continue to struggle as others have begun returning to some semblance of normal business.

La Plata, Maryland-based JustTech, which provides technology services to more than 3,000 customers in six states and Washington DC, had about 100 customers go “completely down” on July 2, says founder and president Joshua Justice. The town offices of two JustTech clients, in North Beach and Leonardtown, Maryland, have acknowledged they were affected in the attack. While the company had clean backups from the morning of the attack, it had no way to easily transfer backups to clients.

So Justice rallied his non-technical employees to ferry hard drives from the company’s data centers to those clients’ offices. He estimates the work will be done today.

“We had plans to bring clients back and fully recover from situations such as this, but never envisioned we would need to do everyone at once,” he says. “As client data is transferred from our secure data centers to hard drives, non-IT JustTech team members have been runners of clients’ data and taken the hard drives to a client’s location to meet a JustTech IT team member for reinstallation.”

JustTech is a single customer of Kaseya and accounts for 100 affected organizations. This suggests if 30 to 70 Kaseya customers were affected, as current estimates indicate, the number of downstream businesses could easily exceed the 1,500 to 2,000 total organizations estimated to be affected. Danish managed service provider VelzArt, for example, reportedly had 200 to 300 clients affected by the attack. Kaseya reportedly estimated about 70% of its affected customers were managed service providers, a fact that could have a significant multiplicative affect on the total number of businesses impacted.

The remaining 30% are Kaseya users such as Virginia Tech, which ran an on-premise version of the vulnerable Virtual Server Administrator (VSA) server. The university does not have downstream clients, but the attack did result in about 600 systems being encrypted with ransomware, according to a local news account.

To read the complete article, visit Dark Reading.