Kaseya Virtual System Administrator (VSA) Ransomware Attack

Published on 03 Jul 2021

Updated on 07 Jul 2021

This is an update to the alert: 

MSPs and IT teams using VSA should scan for Indicators of Compromise (IoCs) in their network and systems using Kaseya's newly released Compromise Detection Tool. They should also closely monitor their network for any unusual activities. As the ransomware was disguised as a Kaseya software update, users should switch off the auto-update function and monitor for updates from the Kaseya support website.

Users who believe that they may have been impacted should contact support@kaseya.com with the subject “Security Incident Report”. They should also immediately activate their incident response plan.

MSPs and IT teams are reminded to maintain up-to-date and offline backups of business-critical data. Where possible, MSPs and IT teams should also consider implementing the following security measures:
•            Enable and enforce multi-factor authentication (MFA) on all administrative and privileged accounts.
•            Restrict access for the remote monitoring and management (RMM) capability to only trusted IP addresses.
•            Place the RMM in a virtual private network (VPN) or behind a firewall on a dedicated administrative subnetwork.

Original alert published on 3 July 2021 below:

Kaseya, an IT management software provider for Managed Service Providers (MSPs) and IT teams, has learned of a potential security incident involving its Virtual System Administrator (VSA) software platform that provides endpoint management and network monitoring.

Kaseya is investigating the incident.

MSPs and IT teams using VSA are recommended to follow the guidance provided by Kaseya in their advisory to immediately shut down the Kaseya server and continue monitoring Kaseya's website for updates on further guidance.

More information is available here: