1,500 businesses compromised by the recent ransomware attack on supply chain vendor Kaseya, the company says

Over the weekend, Kaseya IT management software, a tool commonly used in Managed Service Provider (MSP) environments, was reportedly hit by the REvil ransomware attack, a ransomware hacker group believed to operate out of Russia.

As we reported on Monday, the initial ransomware infection was estimated to have affected about 30-40 of Kaseya customers with potential ripple effects to infect many more customers. Now, are learning more about the extent of the damage.

Today, Kaseya said as many as 1,500 small businesses managed by its customers were compromised. Unlike the SolarWinds attack, however, the REvil group demanded $70 million to restore the data they are holding for ransom from victims spread across at least 17 countries, according to a posting on a dark website.

In a statement on its website, Kaseya said the attack had limited impact, with only approximately 50 of the more than 35,000 Kaseya customers being breached. The company also added that “of the approximately 800,000 to 1,000,000 local and small businesses that are managed by Kaseya’s customers, only about 800 to 1,500 have been compromised.”

“On July 2, at approximately 2 p.m. EST, Kaseya was alerted to a potential attack by internal and external sources. Within an hour, in an abundance of caution, Kaseya immediately shut down access to the software in question. The attack had limited impact, with only approximately 50 of the more than 35,000 Kaseya customers being breached.”

According to research published by cybersecurity firm ESET, about a dozen different countries were affected by the Kaseya ransomware attack that has now affected the global supply chain. ESET noted that some of Kaseya’s customers were hit by a compromised update package for users of Kaseya’s remote monitoring VSA platform because these customers were MSPs with numerous customers of their own. ESET reported a variant of the ransomware known as “Win32/Filecoder.Sodinokibi.N trojan on July 2nd at 3:22 PM (EDT; UTC-04:00).”

Kaseya further explained that after making the rapid decision to shut down access to the software, an internal incident response team, partnering with leading industry experts in forensic investigations, sprang into action to determine the nature of the attack.

“Once an attack was established, law enforcement and government cybersecurity agencies, including the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA), were notified and immediately engaged. Soon after the attack, with assistance from the FBI and CISA, the root cause of the attack was identified,” Kaseya said.

“While impacting approximately 50 of Kaseya’s customers, the company was proactive in its mitigation efforts to minimize any impact to critical infrastructure. Many of Kaseya’s customers are managed service providers, using Kaseya’s technology to manage IT infrastructure for local and small businesses with less than 30 employees, such as dentists’ offices, small accounting offices and local restaurants. Of the approximately 800,000 to 1,000,000 local and small businesses that are managed by Kaseya’s customers, only about 800 to 1,500 have been compromised.”

Meanwhile, Ross McKerchar, the chief information security officer at Sophos Group Plc, said that “schools, small public-sector bodies, travel and leisure organizations, credit unions, and accountants” are among those hit by the REvil ransomware attack.

“This is one of the farthest-reaching criminal ransomware attacks that Sophos has ever seen,” said Ross McKerchar, the chief information security officer at Sophos, “at this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company. Victims span a range of worldwide locations with most in the United States, Germany and Canada, and others in Australia, the U.K. and other regions.”