The infamous REvil ransomware hits again with its latest campaign affecting more than 200 organizations relying on the Kaseya IT management provider.

REvil Ransomware hits Kaseya IT service provider:

The Kaseya IT management software provides unified management software to help corporate organizations scale IT operations with IT management software for MSPs and IT Teams.

In what appears to be the critical aftermath of the attack on Kaseya, the REvil ransomware managed to affect at least 200 organizations on Kaseya’s customer list.

Following the ransomware attack, the IT service provider addressed the attack on July 2 and further stated that they promptly shut down its software-as-a-service (SaaS).

Subsequently, the on-premises customers of the software service were also notified of the cyberattack. 

According to Kaseya, they reported the incident to related forensic investigators and cybersecurity agencies so as to critically investigate the ransomware attack.

Exploiting a vulnerability in Kaseya VSA:

Trusted security sources provide that the Revil ransomware managed to attack the organization by spreading via exploiting a vulnerability in Kaseya VSA. 

Kaseya VSA is a cloud-based IT management and remote monitoring solution for businesses of all sizes that provide a central console for managing IT operations including handling complaints, ticketing, auditing, monitoring performance, and reporting.

Also read,

When the ransomware spread via Kaseya VSA, it encrypted the compromised systems and demanded a ransom in exchange for decrypting them.

The IT service provider states that the number of compromised systems in the Revil ransomware attack was limited to less than 40 systems worldwide, as of July 2. 

However, according to other security experts, apart from Kaseya’s direct customers, at least 200 other organizations were impacted by the ransomware attack.

Further analytic evidence suggests that REvil ransomware was most definitely responsible for the attack.

Following the attack, Kaseya has reportedly prepared a patch for VSA that’s expected to remove the vulnerability exploited by this campaign. The patch is in testing stages and customers hosting VSA are expected to receive it after confirming its efficiency.

But it might take a while for affected businesses to install that patch or recover their files. The attack happened just before Independence Day in the U.S. Many companies give employees long weekends to celebrate the holiday, which will limit their ability to respond to this incident.