VSA 0-Day

The hacker group behind REvil ransomware gang has Last week launched a cyber attack against Kaseya, it’s a company based in Miami, Florida, USA and it provides software.

Kaseya has confirmed that the attack spread through its cloud VSA solution, and that’s why they decided to shut down their VSA SaaS infrastructure. Since then, those affected have been succeeding, and the first amounts demanded were made public, which have been growing since the attack.

Hackers Exploited VSA 0-Day

In this incident, the operators of REvil affected thousands of customers around the world by exploiting the VSA 0-day vulnerability. 

“To date, we are aware of fewer than 60 Kaseya customers, all of which were using the VSA on-premises product, who was directly compromised by this attack.  While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses.  We have not found any evidence that any of our SaaS customers were compromised.” Kaseya Said.

And not only that even they also demanded a total of 70 million dollars in bitcoins in exchange for a universal decryptor capable of deciphering all the affected systems.

In the previous month, the meat-processing company JBS admitted to having paid a total of $11 million of ransom to get rid of an attack that is accused to REvil.

In more than 17 countries this attack has been reported and affected the users; as a result stopped the operation of the company in several sectors like:-

  • Financial services
  • Travel companies
  • Leisure companies
  • Even public entities
  • Political organizations

Even there are hundreds of supermarkets along with Swedish supermarket chain Coop had to close due to this attack since their cash registers were stopped working.

Moreover, the FBI has also confirmed that they are investigating the case together with the Infrastructure and Cybersecurity Agency; even they also asserted that due to the magnitude of this attack they might be not able to treat customers or the users of the company individually.

However, here all the clues indicate that the hackers launched a ‘zero-day’ attack, and in these cases, the hackers infiltrate a computer system and plant ‘malware’ that presents it as useless, that’s why as a result the victims have to pay the extortion to obtain a decryption key.

Apart from this, the cybersecurity researchers have claimed that this cyberattack was carried out voluntarily at the start of the holiday week associated to July 4, and at this time the offices in the United States were understaffed due to the celebration of independence day.

While Kaseya claimed that they have developed a patch for the VSA simply to get back all its services online as soon as possible. And they also pronounced that they are closely working with the FBI to improve their security measures after the attack.

Indication of Comrpomise

Network IOCs

The following IP addresses were seen accessing VSA Servers remotely.


Endpoint IOCs

The following files were used as part of the deployment of the encryptor:

FilenameMD5 HashFunction
cert.exeN/A – Legitimate File with random string appendedLegit certutil.exe Utility
agent.crt939aae3cc456de8964cb182c75a5f8ccEncoded malicious content
agent.exe561cffbaba71a6e8cc1cdceda990ead4Decoded contents of agent.crt
mpsvc.dlla47cf00aedf769d60d58bfe00c0b5421Ransomware Payload

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Leave a Reply