Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor key for the REvil Ransomware attack that struck on July 2, 2021, the MSP software company disclosed on July 26, 2021.
The background: Kaseya suffered a REvil ransomware attack on July 2, 2021. Then, the company on July 21 obtained a decryptor key to help MSPs and end-customers recover from the attack. At the time, Kaseya did not say whether it paid a ransom or extortionists to obtain the key. Fast forward to July 26, 2021, and the software company says no ransomware payment was made.
The Kaseya timeline also includes a July 11 restore of SaaS services for VSA customers, and patches for on-premises VSA customers.
The attack hit roughly 50 MSPs on July 2, and then spread to 800 to 1,500 businesses worldwide, Kaseya CEO Fred Voccola told Reuters on July 5. Kaseya developed a patch and began a SaaS system restore on July 6, but the company then delayed that restore until Sunday, July 11, Voccola disclosed on July 7.
Meanwhile, ConnectWise on July 13 reactivated an integration with IT Glue -- an MSP documentation platform owned by Kaseya. ConnectWise reactivated the connection after receiving written assurances from Mandiant that IT Glue was not impacted by the VSA incident.
Among the remaining question marks:
- How many customer endpoints overall were encrypted? The hackers claimed to have hit 1 million endpoints, but the actual figure remains unclear.
- How MSPs are still working to restore their on-premises VSA servers and associated end-customer systems?
Here are the latest breaking details (updated regularly) from MSSP Alert.
Note - Official Statements From Kaseya: Track this URL from Kaseya for official ongoing updates, patch and restore information from the company.
Blog originally published July 2, 2021. Updated regularly thereafter to reflect new developments in the cyberattack investigation and VSA software platform recovery.