News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Kaseya VSA has been hit with a ransomware attack

    Home Forums AskWoody blog Kaseya VSA has been hit with a ransomware attack

    Viewing 6 reply threads
    • Author
      • #2375228
        Susan Bradley
      • #2375346
        AskWoody Plus

        C:\Windows\mpsvc.dll is side-loaded into a legit Microsoft Defender copy, copied into C:\Windows\MsMpEng.exe to run the encryption from a legit process.”

        So, if you don’t run Defender you are in the clear ?

        • #2375356
          Paul T
          AskWoody MVP

          Nope, it uses Defender to run the malware – very clever as Defender is always allowed to run.

          cheers, Paul

          1 user thanked author for this post.
          • #2375387
            AskWoody Plus

            But 3rd party A/Vs disable Defender, so how can it run ?

            • #2375388

              Third-party A/Vs disable the A/V part of Defender.
              Do they disable ALL of the other parts of Defender?

              1 user thanked author for this post.
      • #2375389

        Almost every Coop foodstore is out of business today 🙂

        This is how it goes if you put all your eggs in the same basket

      • #2375453
        AskWoody Plus

        Important Notice July 3rd, 2021

        July 3, 2021 1:30 PM EDT

        Latest Updates will be published at:  Important Notice July 3rd, 2021 – Kaseya

        Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack.   Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only.  

        Kaseya is progressing on the security incident along multiple workstreams:

        Since the security of our customers is paramount, we are continuing to strongly recommend that our on-premises customers’ VSA servers remain offline until further notice. ..

        We have been advised by our outside experts, that customers who experienced ransomware and receive communication from the attackers should not click on any links – they may be weaponized…

      • #2375625
        AskWoody Lounger

        0Patch has a free patch for CVE-2021-34527—a critical remote code execution and local privilege escalation vulnerability dubbed “PrintNightmare.”

        Dear 0patch friends,

        You’ve probably been hearing about the critical remotely exploitable “PrintNightmare” vulnerability (CVE-2021-34527) in all Windows systems, which was made public last week and is already getting exploited. There is no official patch from Microsoft yet for this vulnerability.

        We at 0patch have decided to step in and created micropatches that are currently available for:

        1.Windows Server 2019 (updated with June 2021 Updates)
        2.Windows Server 2016 (updated with June 2021 Updates)
        3.Windows Server 2012 R2 (updated with June 2021 Updates)
        4.Windows Server 2008 R2 (updated with January 2020 Updates, no Extended Security Updates)
        5.Windows Server 2012 (updated with June 2021 Updates) – patch scheduled to be released on Monday, 7/5/2021

        We started with patches for the most critically impacted systems, and will issue additional ones for other affected platforms. All Windows Servers from 2008 on are affected at least when they act as domain controller, but new information indicates that all Windows versions (workstations and servers) may be affected via an alternate attack vector. We will be updating our blog post and posting updates on Twitter as we know more.

        These patches are completely FREE and will remain so until Microsoft has issued an official fix for this vulnerability.

        If your computers are affected (at least domain controllers), create a free account for 0patch Central, then install and register 0patch Agent from Everything else will happen automatically. No computer reboots will be needed.

        Since this is a critical vulnerability without an official fix, please do a favor to everyone you know to be affected and let them know about 0patch. Thank you!

        For more information, please check out our blog post, read our FAQ, or just drop an email to We’re waiting for you.

        Your 0patch Team

        <hr />


        1 user thanked author for this post.
      • #2375782
        AskWoody MVP

        Meanwhile, the REvil ransomware gang that is responsible for the attack claims on its website that “more than a million systems were infected.”

        According to reports, REvil has been demanding $45,000 to decrypt each infected PC, or $5 million for an entire domain.

        In addition, the REvil ransomware gang is offering to make publicly available a decryption tool that will “decrypt files of all victims” for the princely sum of $70 million worth of Bitcoin.

        Is this the biggest ransomware attack of all time?

        Quite possibly.

        REvil ransomware rampages following Kaseya supply-chain attack

        Windows 10 Pro version 21H2 build 19044.1151 + Microsoft 365 (group ASAP)

        • #2375786
          AskWoody MVP

          The REvil gang of scumbag digital stooges will be cursing at their foiled plan when the keystone cops trace bitcoin payments, fancy demanding Bitcoin of all the cryptocurrency payment methods. ROTFL

          | Quality over Quantity |
          1 user thanked author for this post.
      • #2375874
        AskWoody Plus

        fancy demanding Bitcoin of all the cryptocurrency payment methods. ROTFL

        I suppose that a Bank’s check will do.

        when the keystone cops trace bitcoin payments

        That was pure luck and negligence of the receiver.

        No one has found to date $3.6 Billion vanished Bitcoins.

        1 user thanked author for this post.
    Viewing 6 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, no politics or religion.

    Reply To: Kaseya VSA has been hit with a ransomware attack

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.