After a couple of false starts in attempting to bring its SaaS and on-premises VSA services back online following the REvil ransomware event last week, Kaseya executives now say the services won’t be available until Sunday afternoon.
Kaseya CEO Fred Voccola said in a video update Wednesday evening that he was “very confident” that the company’s VSA services would be back online Sunday, and clarified that it was his decision to halt the previous restart attempt earlier this week. The decision was made out of an abundance of caution after Kaseya’s internal IT team and outside experts suggested some additional security mitigations.
“I don’t want anyone to think that we’re aren’t taking this as seriously as anything we’ve done professionally,” Voccola said.
“All software has vulnerabilities and flaws and it’s our job to make sure they don’t impact you.”
The ransomware incident that caused the shutdown of Kaseya’s VSA remote management and monitoring service was not a direct attack on the company itself, but rather against several dozen managed services providers (MSP) who use the on-premises version of the product. The REvil ransomware actors were able to exploit at least two previously undisclosed vulnerabilities in VSA to gain access to the servers and then eventually deploy ransomware on the networks of the MSPs’ customers. Those flaws were two of seven that researchers from the Dutch Institute for Vulnerability Disclosure discovered and disclosed to Kaseya in early April.
“We later learned that one of the two vulnerabilities used in the attack was one we previously disclosed to Kasya VSA."
Kaseya patched some of the flaws in May, but others have not yet been resolved.
“When we discovered the vulnerabilities in early April, it was evident to us that we could not let these vulnerabilities fall into the wrong hands. After some deliberation, we decided that informing the vendor and awaiting the delivery of a patch was the right thing to do. We hypothesized that, in the wrong hands, these vulnerabilities could lead to the compromise of large numbers of computers managed by Kaseya VSA,” the DIVD CSIRT said in a post on the vulnerabilities.
“We later learned that one of the two vulnerabilities used in the attack was one we previously disclosed to Kasya VSA. We have no indication that Kaseya is hesitant to release a patch. Instead they are still working hard to make sure that after their patch the system is as secure as possible, to avoid a repeat of this scenario.”
The number of total organizations affected by the REvil ransomware in this incident is unclear, but Kaseya officials said earlier this week that it was fewer than 1,500 organizations.