Kaseya could begin restoring access to the online version of its VSA remote monitoring and management solution as soon as tomorrow, according to an update posted this afternoon on the company’s website.
The IT management vendor’s executive committee will make a final decision on re-starting VSA’s SaaS infrastructure at midnight Eastern Daylight Time tonight. If it opts to proceed, service will be restored on July 5th in Europe, the U.K., and Asia starting at 4 a.m., and in North America starting at 5 p.m.
An update to the on-premises edition of VSA will be available soon as well. Kaseya plans to begin communicating details on the release process for that software tomorrow. A Compromise Detection Tool for the exploit has been available since yesterday.
The timelines now on Kaseya’s website confirm remarks made by CEO Fred Voccola to ChannelPro earlier today. VSA, he said, should be back up “in the very near future, hours not days and weeks.”
Kaseya has already written and tested the on-premises update, he added. Three independent security service providers are now reviewing the code.
VSA was struck by a sophisticated cyberattack on Friday. The solution’s cloud infrastructure has been offline since then, and the company continues to advise users of the on-premises version to keep that software offline too.
When a final tally is available, Voccola says, Kaseya expects about 50 to 60 out of roughly 38,000 VSA users to have been impacted by the attack, which employed the RMM system as an entry mechanism for distributing ransomware to end users. Kaseya does not currently know how many such organizations have been affected.
In addition to finalizing patches, Voccola says, “we’re also hardening our software and our infrastructure with additional layers.” Those measures include further third-party monitoring of Kaseya’s SaaS servers and implementation of enhanced web application firewall protection, according to the company’s website.
One of the extra security safeguards going into effect soon will change the underlying IP addresses of VSA’s cloud servers. Kaseya is “working on a program to enable us to extend our new security measures to our on-premises customers,” the website says, and will provide more details before issuing the update for that system.
In the interim, according to Voccola, Kaseya is working one-on-one with end user victims of the ransomware strike, either directly or via their MSP, based on the MSP’s preference.
“For every customer who has been hit by this, we will do everything in our power to fix it,” he says. “We provide and are paying for experts to advise everyone on what to do.”
Those experts include ransomware negotiation specialists, as well as Kaseya’s in-house technical staff. The company is putting victims in touch with contacts at the FBI for assistance as well.
The FBI, according to Voccola, is all but certain that the REvil malware consortium, which was behind the recent ransomware attack on meatpacker JBS, is responsible for this attack too. “They're saying it's them,” he says. “They know this group really well.”