Kaseya VSA supply chain ransomware attack
The NCSC is aware of a developing supply chain attack which may present significant risk to NZ organisations. The NCSC is working with CERT NZ, New Zealand Police, and other agencies to assess the impact to New Zealand organisations.
- The NCSC is aware of a supply chain attack affecting Kaseya VSA, a remote management and network monitoring product.
- The attack has been leveraged to deploy ransomware to networks which utilise Kaseya VSA.
- The variant of ransomware deployed is REvil/Sodinokibi.
- Preliminary details about the activity suggest that VSA admin accounts are disabled shortly before ransomware is deployed.
- The NCSC strongly recommends that organisations determine if Kaseya VSA is utilised in your environment, either by your own internal IT team or by a service provider who has access to your network.
- If Kaseya VSA is present in your environment, the NCSC recommends organisations should urgently take the steps outlined in the advisory published by Kaseya.
- Kaseya has provided a compromise detection tool to assess for evidence of compromise.
- Kaseya is recommending that on-premise VSA servers be shut down until further information is provided.
- If you believe you have been impacted by this activity, please contact the NCSC Incident Coordination & Response team via email: firstname.lastname@example.org
- Kaseya: important notice
- Sophos blog entry: Kaseya VSA supply chain ransomware attack
- NCSC guidance: Supply Chain Cyber Security
The NCSC will continue to monitor the situation for developments.