Kaseya VSA has been hit with a ransomware attack

Topic

New Reply

https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/ https://twitter.com/markloman/status/1411035534554808331 “We ar
[See the full post at: Kaseya VSA has been hit with a ransomware attack]

Susan Bradley Patch Lady

1 user thanked author for this post.

Alex5723

Reply | Quote

Replies

C:\Windows\mpsvc.dll is side-loaded into a legit Microsoft Defender copy, copied into C:\Windows\MsMpEng.exe to run the encryption from a legit process.”

So, if you don’t run Defender you are in the clear ?

Reply | Quote

Nope, it uses Defender to run the malware – very clever as Defender is always allowed to run.

cheers, Paul

1 user thanked author for this post.

Alex5723

Reply | Quote

But 3rd party A/Vs disable Defender, so how can it run ?

Reply | Quote

Third-party A/Vs disable the A/V part of Defender.
Do they disable ALL of the other parts of Defender?

1 user thanked author for this post.

Alex5723

Reply | Quote

Almost every Coop foodstore is out of business today 🙂

This is how it goes if you put all your eggs in the same basket

https://translate.google.com/translate?sl=auto&tl=en&u=https://www.svt.se/nyheter/inrikes/coop-tvingas-stanga-efter-kassahaveri

Reply | Quote

Not in the UK….for the time being.

Reply | Quote

But 500 stores in Sweden:

Swedish Co-op supermarkets shut due to US ransomware cyber-attack [BBC News]

Windows 11 Pro version 22H2 build 22621.1483 + Microsoft 365 + Edge

Reply | Quote

Important Notice July 3rd, 2021

July 3, 2021 1:30 PM EDT

Latest Updates will be published at:  Important Notice July 3rd, 2021 – Kaseya

Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack.   Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only.  

Kaseya is progressing on the security incident along multiple workstreams:

Since the security of our customers is paramount, we are continuing to strongly recommend that our on-premises customers’ VSA servers remain offline until further notice. ..

We have been advised by our outside experts, that customers who experienced ransomware and receive communication from the attackers should not click on any links – they may be weaponized…

Reply | Quote

0Patch has a free patch for CVE-2021-34527—a critical remote code execution and local privilege escalation vulnerability dubbed “PrintNightmare.”
————————————————————–

Dear 0patch friends,

You’ve probably been hearing about the critical remotely exploitable “PrintNightmare” vulnerability (CVE-2021-34527) in all Windows systems, which was made public last week and is already getting exploited. There is no official patch from Microsoft yet for this vulnerability.

We at 0patch have decided to step in and created micropatches that are currently available for:

1.Windows Server 2019 (updated with June 2021 Updates)
2.Windows Server 2016 (updated with June 2021 Updates)
3.Windows Server 2012 R2 (updated with June 2021 Updates)
4.Windows Server 2008 R2 (updated with January 2020 Updates, no Extended Security Updates)
5.Windows Server 2012 (updated with June 2021 Updates) – patch scheduled to be released on Monday, 7/5/2021

We started with patches for the most critically impacted systems, and will issue additional ones for other affected platforms. All Windows Servers from 2008 on are affected at least when they act as domain controller, but new information indicates that all Windows versions (workstations and servers) may be affected via an alternate attack vector. We will be updating our blog post and posting updates on Twitter as we know more.

These patches are completely FREE and will remain so until Microsoft has issued an official fix for this vulnerability.

If your computers are affected (at least domain controllers), create a free account for 0patch Central, then install and register 0patch Agent from 0patch.com. Everything else will happen automatically. No computer reboots will be needed.

Since this is a critical vulnerability without an official fix, please do a favor to everyone you know to be affected and let them know about 0patch. Thank you!

For more information, please check out our blog post, read our FAQ, or just drop an email to sales@0patch.com. We’re waiting for you.

Your 0patch Team

<hr />

<h4>gthomas</h4>
…

1 user thanked author for this post.

SueW

Reply | Quote

Meanwhile, the REvil ransomware gang that is responsible for the attack claims on its website that “more than a million systems were infected.”
…
According to reports, REvil has been demanding $45,000 to decrypt each infected PC, or $5 million for an entire domain.

In addition, the REvil ransomware gang is offering to make publicly available a decryption tool that will “decrypt files of all victims” for the princely sum of $70 million worth of Bitcoin.
…
Is this the biggest ransomware attack of all time?

Quite possibly.

REvil ransomware rampages following Kaseya supply-chain attack

Windows 11 Pro version 22H2 build 22621.1483 + Microsoft 365 + Edge

Reply | Quote

The REvil gang of scumbag digital stooges will be cursing at their foiled plan when the keystone cops trace bitcoin payments, fancy demanding Bitcoin of all the cryptocurrency payment methods. ROTFL

Keep IT Lean, Clean and Mean!

1 user thanked author for this post.

wavy

Reply | Quote

Microfix wrote:

fancy demanding Bitcoin of all the cryptocurrency payment methods. ROTFL

I suppose that a Bank’s check will do.

when the keystone cops trace bitcoin payments

That was pure luck and negligence of the receiver.

No one has found to date $3.6 Billion vanished Bitcoins.

1 user thanked author for this post.

wavy

Reply | Quote