News

Ransomware Hits Kaseya VSA, Affecting Dozens of MSPs

About 60 managed service providers (MSPs) and almost 1,500 of their business customers may have been affected by a ransomware attack targeting Kaseya's VSA management solution.

Kaseya provides its VSA solution as a service, hosted from its datacenters, but the management software also gets installed on local servers (on customer premises). VSA is typically used by MSPs to provide outsourced IT support to businesses. 

In a series of posts starting July 2, Kaseya attributed the "supply-chain" attack to the REvil ransomware gang (a.k.a., "Sodinokibi"). Kaseya shut down its VSA servers and urged its customers using VSA on local infrastructure to do the same. However, the vulnerability had already been leveraged by the attackers, affecting MSPs and businesses.

On-Premises VSA Customers Affected
Here is Kaseya's July 5 assessment of the ransomware attack, which indicated that MSP customers using VSA installed on-premises, as well as their customers, were the ones affected:

To date, we are aware of fewer than 60 Kaseya customers, all of whom were using the VSA on-premises product, who were directly compromised by this attack. While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses. We have not found evidence that any of our SaaS customers were compromised.

So far, it's known that 800 of Sweden's Coop grocery stores were shut down due to the ransomware, according to a Reuters report. Coop relies on Visma Esscom to keep its cash registers running, and Visma Esscom uses Kaseya's solution for IT management tasks.

The attackers are said to have "demanded $70 million to restore all the affected businesses' data," although they negotiate the price, per another Reuters story.

Kaseya is currently working to restore its VSA service and has distributed an indicator-of-compromise detection tool for customers that's available from a link in its announcement. The company hired Mandiant to assess its overall security posture, according to a Kaseya "Incident Overview" post.

The ransomware attacks mostly affected customers located in the "United Kingdom, South Africa, Canada, Germany, the United States and Colombia," according to a post by Esset security researchers. The Esset post included a reproduction of the ransom note, which promised to provide a key to restore an organization's encrypted data for a price.

The ransomware attackers used the zero-day flaw in Kaseya's VSA software to add a malicious dropper via a PowerShell script, according to analysis by Kaspersky researchers. This script disables current Microsoft Defender anti-malware software and substitutes an older version. It also sets up the ransomware via a dynamic link library file.

Kaseya Was Fixing the Flaw 
The vulnerability in Kaseya's VSA software apparently was known before the outbreak of the ransomware attacks. It had been reported to Kaseya by the Dutch Institute for Vulnerability Disclosure (DIVD) and a fix was being worked on, according a Kaspersky Threatpost article, as well as this July 4 DIVD post.

The DIVD recently reported seeing a rapid decrease in the use of VSA servers per this July 6 post. It advised following security best practices, such as using multifactor authentication and removing public Internet-facing admin interfaces.

The attack is under investigation by the U.S. Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency, which offered guidance for affected MSPs and affected MSP customers via this announcement. It includes links to articles listing indicators of compromise, plus general advice for users of remote monitoring and management (RMM) tools.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Microsoft Offers Support Extensions for Exchange 2016 and 2019

    Microsoft has introduced a paid Extended Security Update (ESU) program for on-premises Exchange Server 2016 and 2019, offering a crucial safety cushion as both versions near their Oct. 14, 2025 end-of-support date.

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Notebook

    Microsoft Centers AI, Security and Partner Dogfooding at MCAPS

    Microsoft's second annual MCAPS for Partners event took place Tuesday, delivering a volley of updates and directives for its partners for fiscal 2026.

  • Microsoft Layoffs: AI Is the Obvious Elephant in the Room

    As Microsoft doubles down on an $80 billion bet on AI this fiscal year, its workforce reductions are drawing scrutiny over whether AI's ascent is quietly reshaping its human capital strategy, even as official messaging avoids drawing a direct line.