{ "id": "df94f2a8-3faf-41c6-83b6-14880a6628d1", "created_at": "2026-04-06T00:14:42.429112Z", "updated_at": "2026-04-10T03:35:28.874922Z", "deleted_at": null, "sha1_hash": "1ec94952eb287e0765db86bd8cb730aae6670706", "title": "Update Regarding VSA Security Incident", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 161888, "plain_text": "Update Regarding VSA Security Incident\r\nArchived: 2026-04-05 13:26:17 UTC\r\nJuly 26, 2021 - 1:00 PM EDT\r\nThroughout this past weekend, Kaseya’s Incident Response team and Emsisoft partners continued their work\r\nassisting our customers and others with restoration of their encrypted data. We continue to provide the decryptor\r\nto customers that request it, and we encourage all our customers whose data may have been encrypted during the\r\nattack to reach out to your contacts at Kaseya. The decryption tool has proven 100% effective at decrypting files\r\nthat were fully encrypted in the attack.\r\nKaseya has maintained our focus on assisting our customers, and when Kaseya obtained the decryptor last week\r\nwe moved as quickly as possible to safely use the decryptor to help our customers recover their encrypted data.\r\nRecent reports have suggested that our continued silence on whether Kaseya paid the ransom may encourage\r\nadditional ransomware attacks, but nothing could be further from our goal. While each company must make its\r\nown decision on whether to pay the ransom, Kaseya decided after consultation with experts to not negotiate with\r\nthe criminals who perpetrated this attack and we have not wavered from that commitment. As such, we are\r\nconfirming in no uncertain terms that Kaseya did not pay a ransom – either directly or indirectly through a third\r\nparty – to obtain the decryptor.\r\nJuly 23, 2021 - 3:00 PM EDT\r\nKaseya’s Incident Response team, assisted by Emsisoft, continues to provide our customers with the decryption\r\nkey and help them to restore any encrypted data that was not previously restored from backup. We have no reports\r\nof problems or issues with the decryptor.\r\nJuly 22, 2021 - 3:30 PM EDT\r\nKaseya has obtained universal decryptor key.\r\nOn 7/21/2021, Kaseya obtained a decryptor for victims of the REvil ransomware attack, and we’re working to\r\nremediate customers impacted by the incident.\r\nWe can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers\r\naffected by the ransomware to restore their environments, with no reports of any problem or issues associated with\r\nthe decryptor. Kaseya is working with Emsisoft to support our customer engagement efforts, and Emsisoft has\r\nconfirmed the key is effective at unlocking victims.\r\nWe remain committed to ensuring the highest levels of safety for our customers and will continue to update here\r\nas more details become available.\r\nCustomers who have been impacted by the ransomware will be contacted by Kaseya representatives.\r\nhttps://www.kaseya.com/potential-attack-on-kaseya-vsa/\r\nPage 1 of 19\n\nJuly 19, 2021 - 3:15 PM EDT\r\nVSA 9.5.7.3011 Maintenance Patch Release Update\r\nKaseya is releasing patch 9.5.7.3011 which remediates functionality issues caused by the enhanced security\r\nmeasures put in place and provides bug fixes (this is not a security release).  The full release notes with the fixes\r\nare available at: https://helpdesk.kaseya.com/hc/en-gb/articles/4404146456209.\r\nVSA SaaS Update\r\nThe first VSA SaaS deployment went live on Saturday July 17th US EDT for the following VSA SaaS instances:\r\nEU – SAAS03, EU – SAAS06, EU – SAAS11, EU – SAAS12, EU – SAAS16, EU – SAAS23, EU – SAAS24,\r\nEU – SAAS25, EU – SAAS28, EU – SAAS34, EU – SAAS39, EU – SAAS41 ,EU – SAAS43, US – NA1VSA01,\r\nUS – NA1VSA04, US – NA1VSA08, US – NA1VSA12, US – NA1VSA14, US – NA1VSA22, US –\r\nNA1VSA28, US – NA1VSA29, US – NA1VSA30, US – NA1VSA32, US – NA1VSA37, NA1VSA105, US –\r\nNA1VSA108, US – NA1VSA115, US – IAD2VSA02, US – IAD2VSA04\r\nThe remainder of the VSA SaaS instances will be updated tonight (July 19th) 8PM and 4AM US EDT.\r\nVSA On-Premises Update:\r\nThe VSA On-Premises Patch will be released to customers and posted to the download site by 4:30PM US EDT\r\ntoday.\r\nJuly 16, 2021 - 7:00 PM EDT\r\nVSA 9.5.7.3011 Maintenance Patch Release Update\r\nKaseya will be releasing patch 9.5.7.3011 which remediates functionality issues caused by the enhanced security\r\nmeasures put in place and provides bug fixes (this is not a security release). (this is not a security release).  The\r\nfull release notes with the fixes are available at: https://helpdesk.kaseya.com/hc/en-gb/articles/4404146456209.\r\nThe patch is planned to be available for VSA On-Premises customers by Monday July 19th end of day.\r\nThe first VSA SaaS deployment is planned for Saturday July 17th between 7AM and 11AM US EDT for the\r\nfollowing VSA SaaS instances: EU – SAAS03, EU – SAAS06, EU – SAAS11, EU – SAAS12, EU – SAAS16,\r\nEU – SAAS23, EU – SAAS24, EU – SAAS25, EU – SAAS28, EU – SAAS34, EU – SAAS39, EU – SAAS41\r\n,EU – SAAS43, US – NA1VSA01, US – NA1VSA04, US – NA1VSA08, US – NA1VSA12, US – NA1VSA14,\r\nUS – NA1VSA22, US – NA1VSA28, US – NA1VSA29, US – NA1VSA30, US – NA1VSA32, US –\r\nNA1VSA37, NA1VSA105, US – NA1VSA108, US – NA1VSA115, US – IAD2VSA02, US – IAD2VSA04\r\nThe remainder of the VSA SaaS instances are planned for deployment between 8PM and 4AM US EDT on\r\nMonday July 19th.\r\nJuly 14, 2021 - 5:00 PM EDT\r\nVSA Install Patch Check\r\nhttps://www.kaseya.com/potential-attack-on-kaseya-vsa/\r\nPage 2 of 19\n\nWhen running the Kinstall patch on your VSA, if you chose to reinstall VSA and either unchecked the default\r\noption to install the latest patch, or reran the Reinstall VSA process a 2nd time without the “install patch” option\r\nselected – it’s possible your patch was not re-applied.\r\nWhile these are rare edge cases, we recommend that you verify that the latest patch was installed properly.  We\r\nhave made a tool that enables you to ensure the patch is properly install.\r\nDownload the verification tool at: https://app.box.com/s/5kqsbdj9aajezsc63jzaadpka5esk1v8\r\nJuly 13, 2021 - 8:00 PM EDT\r\nJuly 12, 2021 - 3:30 PM EDT\r\nThe unplanned maintenance across the VSA SaaS infrastructure has completed and all instances are now live.\r\nWith the large number of users coming back online in a short window, we had seen some performance issues. We\r\nmade configuration changes to address the issue and it is now resolved. We will continue to monitor the\r\nperformance and make adjustments as required.\r\nJuly 12, 2021 - 12:15 PM EDT\r\nUnplanned maintenance will be performed across the entire SaaS farm today, between 12:00 PM to 2:00 PM EDT\r\nwith an expected downtime of 20 minutes. With the large number of users coming back online in a short window,\r\nwe have seen some performance issues. We made some configuration changes to address and need to restart the\r\nservers for these to take effect and improve performance.\r\nJuly 12, 2021 - 8:00 AM EDT\r\nVSA Update:\r\nAs posted in the previous update we released the patch to VSA On-Premises customers and began deploying to\r\nour VSA SaaS Infrastructure prior to the 4:00 PM target. The restoration of services is now complete, with 100%\r\nof our SaaS customers live as of 3:30 AM US EDT.  Our support teams continue to work with VSA On-Premises\r\ncustomers who have requested assistance with the patch.\r\nWe will continue to post updates as new information becomes available.\r\nJuly 12, 2021 - 3:00 AM EDT\r\nAs posted in the previous update we released the patch to VSA On-Premises customers and began deploying to\r\nour VSA SaaS Infrastructure prior to the 4:00 PM target. The restoration of services is progressing, with 95% of\r\nour SaaS customers live and servers coming online for the rest of our customers in the coming hours. Our support\r\nteams are working with VSA On-Premises customers who have requested assistance with the patch.\r\nWe will continue to post updates on the patch rollout progress and server status.\r\nJuly 11, 2021 - 10:00 PM EDT\r\nhttps://www.kaseya.com/potential-attack-on-kaseya-vsa/\r\nPage 3 of 19\n\nVSA Update:\r\nAs posted in the previous update we released the patch to VSA On-Premises customers and began deploying to\r\nour VSA SaaS Infrastructure prior to the 4:00 PM target. The restoration of services is progressing according to\r\nplan, with 60% of our SaaS customers live and servers coming online for the rest of our customers in the coming\r\nhours. Our support teams are working with VSA On-Premises customers who have requested assistance with the\r\npatch.\r\nWe will continue to post updates on the patch rollout progress and server status throughout the evening.\r\nJuly 11, 2021 - 4:30 PM EDT\r\nKaseya EVP Mike Sanders Provides Situational Update for VSA Readiness - July 11, 2021 12:15\r\nPM EDT\r\nJuly 11, 2021 - 10:30 AM EDT\r\nKaseya EVP Mike Sanders Provides Situational Update for VSA Readiness - July 10, 2021 3:30\r\nPM EDT\r\nKaseya’s technical teams and their partners are actively testing the updates and will continue to do so over the\r\nnext 24 hours. Mike Sanders updates on progress and provides guidance for customers in advance of tomorrow’s\r\nrelease.\r\nJuly 10, 2021 - 2:00 PM EDT\r\nJuly 10, 2021 - 9:30 AM EDT\r\nJuly 9, 2021 - 7:00 PM EDT\r\nReminder: Spammers are using the news about the Kaseya Incident to send out fake email notifications that\r\nappear to be Kaseya updates. These are phishing emails that may contain malicious links and/or attachments or\r\nphone claiming to be Kaseya Partners – DO NOT click on links or download attachments and DO NOT respond\r\nto phone calls claiming to be a Kaseya Partner.\r\nUpdates:\r\nSunday, July 11th at 4 PM EDT the VSA On-Premises Patch will be available and we will start the deployment to\r\nour VSA SaaS Infrastructure.\r\nWe have updated our VSA On-Premise Hardening and Practice Guide (added Step #7) which can be viewed by\r\nvisiting: released and can be reviewed by visiting: https://helpdesk.kaseya.com/hc/en-gb/articles/4403760102417\r\nKaseya EVP Mike Sanders Provides Situational Update for VSA Readiness - July 9, 2021 6:00 PM\r\nEDT\r\nhttps://www.kaseya.com/potential-attack-on-kaseya-vsa/\r\nPage 4 of 19\n\nKaseya’s technical teams and their partners continue to work toward getting customers back up and running. EVP\r\nMike Sanders explains progress to date, and raises awareness of suspicious communications coming from outside\r\nKaseya.  \r\nJuly 9, 2021 - 5:00 PM EDT\r\nAs previously communicated, spammers are using the news about the Kaseya Incident to send out fake email\r\nnotifications that appear to be Kaseya updates. These are phishing emails that may contain malicious links and/or\r\nattachments.\r\nSpammers may also be making phone calls claiming to be a Kaseya Partner reaching out to help.\r\nKaseya IS NOT having any partners reach out – DO NOT respond to any phone calls claiming to be a Kaseya\r\nPartner.\r\nDO NOT click on any links or download any attachments in emails claiming to be a Kaseya advisory. However,\r\nsome customers have subscribed to our support site and, at this point, those automated emails may contain links.\r\nAs precaution, be careful with any links or attachments in any emails.\r\nNew Updates:\r\nWe will be providing a video update from our Executive Vice President, Mike Sanders, later this evening with an\r\nupdate on the incident, our response, and our release planned for this Sunday at 4PM US EDT.\r\nWe have updated our VSA On-Premises Hardening and Practice Guide (added Step #7) which can be viewed by\r\nvisiting: https://helpdesk.kaseya.com/hc/en-gb/articles/4403709150993\r\nJuly 9, 2021 - 12:00 PM EDT\r\nAs previously communicated, spammers are using the news about the Kaseya Incident to send out fake email\r\nnotifications that appear to be Kaseya updates. These are phishing emails that may contain malicious links and/or\r\nattachments.\r\nSpammers may also be making phone calls claiming to be a Kaseya Partner reaching out to help.\r\nKaseya IS NOT having any partners reach out – DO NOT respond to any phone calls claiming to be a Kaseya\r\nPartner.\r\nDO NOT click on any links or download any attachments in emails claiming to be a Kaseya advisory.\r\nJuly 9, 2021 - 9:00 AM EDT\r\nKaseya CTO Dan Timpson Addresses Progress to Date and Next Steps for VSA - July 8, 2021 5:00\r\nPM EDT\r\nKaseya’s technical teams and their partners have been working around the clock to help affected customers get\r\nback up and running. CTO Dan Timpson talks about the agency, incident response and research partners who are\r\nhttps://www.kaseya.com/potential-attack-on-kaseya-vsa/\r\nPage 5 of 19\n\nassisting Kaseya’s internal teams to ensure the highest levels of security prior to go-live and outlines the steps\r\nKaseya is taking to ensure its VSA customers get back online securely. He further discusses the contained impact\r\nto VSA within the IT Complete platform and the intentional compartmentalized design that ensures the security of\r\nthe remaining 26 modules within the platform. \r\nJuly 8, 2021 - 1:30 PM EDT\r\nEarlier today we released a video post form our CEO updating the patch rollout timeline as follows:\r\nSunday July 11\r\nth\r\n at 4PM EDT the On-Premises Patch will be available and we will start the deployment to our\r\nVSA SaaS Infrastructure.\r\nWe will be providing a video update from our CTO later this evening which will be emailed to VSA customers\r\nproviding further technical clarity. We will continue to provide both text and daily video updates from executives\r\nas we move forward toward release this Sunday.\r\nWe have also updated our runbooks for customers to prepare for the rollout and restoration of service. If you have\r\nnot reviewed the runbook, please ensure you review the links below (please note we will send notifications in\r\nfuture email updates if runbooks are updated with additional information):\r\nFor our VSA On-Premises customers, we have now have published a runbook of the changes to make to your on-premises environment so customers can prepare for the patch release. Here is the link to the runbook\r\n(https://helpdesk.kaseya.com/hc/en-gb/articles/4403709150993).\r\nFor our VSA SaaS customers, we have published a runbook to help you prepare for the steps you can take after\r\nthe SaaS environment returns to service at: https://helpdesk.kaseya.com/hc/en-gb/articles/4403709476369\r\nJuly 7, 2021 - 9:45 PM EDT\r\nFor our VSA On-Premises customers, we have now have published a runbook of the changes to make to your on-premises environment so customers can prepare for the patch release. Here is the link to the\r\nrunbook (https://helpdesk.kaseya.com/hc/en-gb/articles/4403709150993). \r\nWe are in the process of resetting the timelines for VSA SaaS and VSA On-Premises deployment. We apologize\r\nfor the delay and changes to the plans as we work through this fluid situation.\r\nWe will be providing a video update from our CEO later this evening which will be emailed to VSA customers\r\nproviding further clarity.\r\nImportant Message from Kaseya CEO Fred Voccola - July 7, 2021 8:00 PM EDT\r\nJuly 7, 2021 - 7:00 PM EDT\r\nWe are in the process of resetting the timelines for VSA SaaS and VSA On-Premises deployment. We apologize\r\nfor the delay and changes to the plans as we work through this fluid situation.\r\nhttps://www.kaseya.com/potential-attack-on-kaseya-vsa/\r\nPage 6 of 19\n\nWe will be providing a video update from our CEO later this evening which will be emailed to VSA customers\r\nproviding further clarity.\r\nFor our VSA On-Premises customers, we will be publishing a runbook of the changes to make to your on-premises environment on this site later this evening customers can prepare for the patch release.\r\nJuly 7, 2021 - 3:00 PM EDT\r\nThe detailed runbook to prepare an On Premise VSA implementation for the new release is being finalized.  This\r\nrunbook is being emailed to you, and it will be posted on our support website.   \r\nThe runbook consists of the following:  \r\nSteps to Isolate the VSA server from the network and the internet \r\nHow to Run the Detection Tool  \r\nThe link to the detection tool is below as part of previous updates \r\nSteps to patch your operating system to ensure it is up to date \r\nDetailed review of the required changes to IIS  \r\nHow to download of the FireEye agent on the VSA Server \r\nHow to implement the FireEye agent on the VSA Server \r\nFinal review of the checklist before the installation of the new VSA release \r\nThe next update for On Premise VSA Customers is scheduled for 6pm tonight.  This update will include the\r\ntiming of the new VSA release for On Premise VSA Customers. \r\nJuly 7, 2021 - 12:00 PM EDT\r\nVSA On-Premises Update\r\nFor on-premises customers we will be publishing a runbook of the changes to make to your on-premises\r\nenvironment by 3PM US EDT today so customers can prepare for the patch release.\r\nWe will update the planned availability of the VSA On-Premises patch by 5PM US EDT today.\r\nVSA SaaS Update\r\nDuring the VSA SaaS deployment an issue was discovered that has blocked the release. We are resolving\r\nthe issue that is related to our SaaS infrastructure and we plan on beginning to restore SaaS services no\r\nlater than the evening of Thursday July 8th US time.\r\nJuly 7, 2021 - 8:00 AM EDT\r\nAs communicated in our last update, unfortunately, during the deployment of the VSA update an issue was\r\ndiscovered that has blocked the release. We have not yet been able to resolve the issue. The R\u0026D and operations\r\nteams worked through the night and will continue to work until we have unblocked the release. We will provide a\r\nstatus update at 12:00PM US EDT.\r\nJuly 6, 2021 - 10:00 PM EDT\r\nhttps://www.kaseya.com/potential-attack-on-kaseya-vsa/\r\nPage 7 of 19\n\nDuring the VSA SaaS deployment an issue was discovered that has blocked the release. Unfortunately, the VSA\r\nSaaS rollout will not be completed in the previously communicated timeline. We apologize for the delay and R\u0026D\r\nand operations are continuing to work around the clock to resolve this issue and restore service. We will be\r\nproviding a status update at 8AM US EDT.\r\nJuly 6, 2021 - 7:30 PM EDT\r\nKaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack.   Due to our teams’ fast\r\nresponse, we believe that this has been localized to a very small number of on-premises customers only.  \r\nOur security, support, R\u0026D, communications, and customer teams continue to work around the clock in all\r\ngeographies to resolve the issue and restore our customers to service. \r\nThis update provides further detail on the July 6, 2021  5:00 PM EDT and earlier updates.    \r\nThe technical work for SaaS Deployment has started at 4:00 PM EDT and will continue for the\r\nnext several hours pending no issues.     \r\nWe are configurating an additional layer of security to our SaaS infrastructure which will change the\r\nunderlying IP address of our VSA servers (the domain names/URL will not change)  For almost all\r\ncustomers, this change will be transparent.  However if, and only if, you have whitelisted your Kaseya\r\nVSA server in your firewall(s), you will need ot update the IP whitelist.  The new IP addresses can be\r\nfound at:  https://www.cloudflare.com/ips/ \r\nNo SaaS VSA services are on-line as of 7:30 PM.    The enhanced security measures\r\nare currently being implemented and verified for proper operation.  Once operational, we will then publish\r\nthe VSA availability timeline.   We will be updating the support web page hourly at\r\nhttps://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689 \r\nOur On-Premises patch timeline is 24 hours (or less) from the restoration of SaaS services.  We are focused\r\non shrinking this time frame to the minimal possible – but if there are any issues found during the spin-up\r\nof SaaS, we want to fix them before bringing our on-premises customers up. \r\nContinued Advisory \r\nAll on-premises VSA Servers should continue to remain offline until further instructions from Kaseya\r\nabout when it is safe to restore operations.  A patch will be required to be installed prior to restarting the\r\nVSA and a set of recommendations on how to increase your security posture. \r\nWe have been advised by our outside experts,\r\nthat customers who experienced ransomware and receive communication from\r\nthe attackers should not click on any links – they may be weaponized. \r\nJuly 6, 2021 - 5:00 PM EDT\r\nGood progress being made. The next update will be posted by 6:00 PM.\r\nJuly 6, 2021 - 12:00 PM EDT\r\nNext Update is planned to be published July 6th between 2:00 PM and 5:00 PM EDT.\r\nhttps://www.kaseya.com/potential-attack-on-kaseya-vsa/\r\nPage 8 of 19\n\nKaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack. Due to our teams’ fast\r\nresponse, we believe that this has been localized to a very small number of on-premises customers only.\r\nOur security, support, R\u0026D, communications, and customer teams continue to work around the clock in all\r\ngeographies to resolve the issue and restore our customers to service.\r\nThis update provides further detail on the July 5, 2021 9:30 PM EDT and earlier updates.\r\nOur Timeline for bringing SaaS servers on-line has shifted out by two hours – it is now July 6th\r\nbetween 4:00 PM EDT and 7:00 PM EDT due to configuration change and enhanced security\r\nmeasures being put in place.\r\nOur On-Premises patch timeline is 24 hours (or less) from the restoration of SaaS services. We are\r\nfocused on shrinking this time frame to the minimal possible – but if there are any issues found\r\nduring the spin-up of SaaS, we want to fix them before bringing our on-premises customers up.\r\nThe enhanced security measures that will be brought online are:\r\n24/7 Independent SOC for every VSA with the ability to quarantine and isolate files and entire VSA\r\nservers.\r\nA complementary CDN with WAF for every VSA (Including on premise that opt-in and wish to use\r\nit – details will be available in a KB later this afternoon).\r\nCustomers who whitelist IPs will be required to need to whitelist additional IPs.\r\nA new KB article on the SOC, CDN, and Whitelisting details will be published later this afternoon\r\nand linked to this KB on the Kaseya website.\r\nGreatly reduces the attack surface of Kaseya VSA overall.\r\nLater today we will release a customer-ready statement for you to use to communicate to your\r\ncustomers on the incident and the security measures that we have put in place.\r\nA Compromise Detection Tool can be downloaded at the following link: VSA Detection Tool | Powered by\r\nBox. This continues to be enhanced, so please refer to the download site for the latest version.\r\nIncident Update – more details can be found here: Incident Overview \u0026 Technical Details – Kaseya\r\nTo date, we are aware of fewer than 60 Kaseya customers, all of whom were using the VSA on-premises\r\nproduct, who were directly compromised by this attack. While many of these customers provide IT\r\nservices to multiple other companies, we understand the total impact thus far has been to fewer than 1,500\r\ndownstream businesses.\r\nWe have not found evidence that any of our SaaS customers were compromised.\r\nVSA is the only Kaseya product affected by the attack and all other IT Complete modules are not impacted.\r\nContinued Advisory\r\nAll on-premises VSA Servers should continue to remain offline until further instructions from Kaseya\r\nabout when it is safe to restore operations. A patch will be required to be installed prior to restarting the\r\nVSA and a set of recommendations on how to increase your security posture.\r\nWe have been advised by our outside experts, that customers who experienced ransomware\r\nand receive communication from the attackers should not click on any links – they may be\r\nweaponized.\r\nhttps://www.kaseya.com/potential-attack-on-kaseya-vsa/\r\nPage 9 of 19\n\nJuly 5, 2021 - 9:30 PM EDT\r\nNext Update is planned to be published July 6th between 8:00 AM and 12:00 PM EDT.  \r\nKaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack.   Due to our teams’ fast\r\nresponse, we believe that this has been localized to a very small number of on-premises customers only.\r\nOur security, support, R\u0026D, communications, and customer teams continue to work around the clock in all\r\ngeographies to resolve the issue and restore our customers to service.\r\nThis update provides further detail on the July 5, 2021 1:00 PM EDT and earlier updates.\r\nIncident Update\r\nIn an effort to be transparent with our customers, Kaseya is sharing the information concerning the\r\nrecent ransomware attack in an Incident Overview \u0026 Technical Details document which is available\r\nat this link.\r\nTo date, we are aware of fewer than 60 Kaseya customers, all of whom were using the VSA on-premises product, who were directly compromised by this attack. While many of these customers\r\nprovide IT services to multiple other companies, we understand the total impact thus far has been to\r\nfewer than 1,500 downstream businesses.  We have not found evidence that any of our SaaS\r\ncustomers were compromised.\r\nWe have had no new reports filed of compromises for VSA customers since Saturday July 3rd.\r\nVSA is the only Kaseya product affected by the attack and all other IT Complete modules are not\r\nimpacted.\r\nAn article by Reuters covers the incident – link\r\nOur executive committee met this afternoon at 6:30 PM EDT to reset the timeline and process for bringing\r\nour SaaS and on-premises customers back online.\r\nThe Patch for on-premises customers has been developed and is currently going through the testing\r\nand validation process. We expect the patch to be available within 24 hours after our SaaS servers\r\nhave been brought up.\r\nThe current estimate for bringing our SaaS servers back online is July 6th between 2:00 PM – 5:00\r\nPM EDT.  A final go/no-go decision will be made tomorrow morning between 8:00 AM EDT –\r\n12:00 AM EDT.  These times may change as we go through the final testing and validation\r\nprocesses.\r\nWe will be releasing VSA with staged functionality to bring services back online sooner. The first release\r\nwill prevent access to functionality used by a very small fraction of our user base, including:\r\nClassic Ticketing\r\nClassic Remote Control (not LiveConnect).\r\nUser Portal\r\nKaseya met with the FBI/CISA tonight to discuss systems and network hardening requirements prior to\r\nservice restoration for both SaaS and on-premises customers. A set of requirements will be posted prior to\r\nservice restart to give our customers time to put these counter measures in place in anticipation of a return\r\nto service on July 6th.\r\nhttps://www.kaseya.com/potential-attack-on-kaseya-vsa/\r\nPage 10 of 19\n\nA new version of the Compromise Detection Tool can be downloaded at the following link: VSA Detection\r\nTools.zip | Powered by Box\r\nThis tool analyzes a system (either VSA server or managed endpoint) and determines whether any\r\nindicators of compromise (IoC) are present.\r\nThe latest version searches for the indicators of compromise, data encryption, and the REvil ransom\r\nnote. We recommend that you re-run this procedure to better determine if the system was\r\ncompromised by REvil.\r\nOver 2,000 customers have downloaded this tool since Friday.\r\nContinued Advisory\r\nAll on-premises VSA Servers should continue to remain offline until further instructions from Kaseya\r\nabout when it is safe to restore operations. A patch will be required to be installed prior to restarting the\r\nVSA and a set of recommendations on how to increase your security posture.\r\nWe have been advised by our outside experts, that customers who experienced ransomware\r\nand receive communication from the attackers should not click on any links – they may be\r\nweaponized.\r\nJuly 5, 2021 - 1:00 PM EDT [Updated at 6:30 PM EDT]\r\nNext Update is planned to be published July 5th between 5:00 PM and 7:00 PM 7:00 PM and 8:00 PM EDT.\r\nKaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack.   Due to our teams’ fast\r\nresponse, we believe that this has been localized to a very small number of on-premises customers only.\r\nOur security, support, R\u0026D, communications, and customer teams continue to work around the clock in all\r\ngeographies to resolve the issue and restore our customers to service.\r\nThis update provides further detail on the July 4, 2021 11:00 PM EDT and earlier updates.\r\nWe will be providing a separate update with more technical details of the incident to aid our customers and\r\nsecurity researchers during the afternoon of July 5th.\r\nSaaS Restoration Timeline Updates – UPDATE\r\nOur executive committee met this morning at 8:00 AM EDT, and to best minimize customer risk,\r\nfelt that more time was needed before we brought the data centers back online.\r\nThey elected to meet again later this afternoon at 3:00 PM EDT to reset the schedule for starting the\r\nrestoration process to bring our datacenters online. We will provide an updated timeline at\r\napproximately 5:00 PM – 7:00 PM EDT today (July 5th).\r\nWe are in the midst of deploying an enhanced security monitoring infrastructure and are testing the\r\nrevised incident response processes and performance management controls to ensure acceptable\r\noperations for our customers.\r\nThe next update will be later this evening (EDT) after the executive committee reconvenes.\r\nOn-Premises Patch Timeline Updates – NEW\r\nWe are developing the new patch for on-premises clients in parallel with the SaaS Data Center\r\nrestoration. We are deploying in SaaS first as we control every aspect of that environment.  Once\r\nhttps://www.kaseya.com/potential-attack-on-kaseya-vsa/\r\nPage 11 of 19\n\nthat has begun, we will publish the schedule for distributing the patch for on-premises customers.\r\nThe Compromise Detection Tool can be download at the following link: VSA Detection Tools.zip |\r\nPowered by Box  This tool analyzes a system (either VSA server or managed endpoint) and determines\r\nwhether any indicators of compromise (IoC) are present.\r\nContinued Advisory\r\nAll on-premises VSA Servers should continue to remain offline until further instructions from Kaseya\r\nabout when it is safe to restore operations. A patch will be required to be installed prior to restarting the\r\nVSA and a set of recommendations on how to increase your security posture.\r\nWe have been advised by our outside experts, that customers who experienced ransomware\r\nand receive communication from the attackers should not click on any links – they may be\r\nweaponized.\r\nJuly 5, 2021 - 11:00 AM EDT\r\nA revision to this update is coming later today.   Please check back at approximately 1:00 PM EDT.\r\nJuly 4, 2021 - 11:00 PM EDT\r\nNext Update is planned to be published July 5th in the morning EDT.   The update will be published on the\r\nKaseya.com support website (link here) in advance of the email being sent.  Checking this link is the fastest way to\r\nensure that you have the latest information from Kaseya.\r\nKaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack.   Due to our teams’ fast\r\nresponse, we believe that this has been localized to a very small number of on-premises customers only.\r\nOur security, support, R\u0026D, communications, and customer teams continue to work around the clock in all\r\ngeographies to resolve the issue and restore our customers to service.\r\nThis update provides further detail on the July 4, 2021 5:45 PM EDT and earlier updates.\r\nSaaS Restoration Timeline Updates – UPDATE\r\nOur executive committee met at 10:00 PM EDT and to best minimize customer risk, felt that more\r\ntime was needed before we brought the data centers back online.\r\nThey elected to meet again tomorrow morning at 8:00 AM EDT to reset the schedule with a goal of\r\nstarting the restoration process to bring our datacenters online by end of day on July 5th local time\r\n(UTC) – but that timeframe is dependent on achieving some key objectives overnight.\r\nThe next update will be tomorrow morning EDT after the executive committee reconvenes.\r\nOn-Premises Patch Timeline Updates – NEW\r\nOnce we have begun the SaaS Data Center restoration process (see SaaS Restoration Timeline\r\nUpdates above), we will publish the schedule for distributing the patch for on-premises customers.\r\nContinued Advisory\r\nhttps://www.kaseya.com/potential-attack-on-kaseya-vsa/\r\nPage 12 of 19\n\nAll on-premises VSA Servers should continue to remain offline until further instructions from Kaseya\r\nabout when it is safe to restore operations. A patch will be required to be installed prior to restarting the\r\nVSA and a set of recommendations on how to increase your security posture.\r\nWe have been advised by our outside experts, that customers who experienced ransomware\r\nand receive communication from the attackers should not click on any links – they may be\r\nweaponized.\r\nThe new Compromise Detection Tool can be download at the following link: VSA Detection Tools.zip This\r\ntool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of\r\ncompromise (IoC) are present.\r\nJuly 4, 2021 - 5:30 PM EDT\r\nNext Update will be published July 4th in the very late evening EDT.   Checking this link is the fastest way to\r\nensure that you have the latest information from Kaseya.\r\nKaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack.   Due to our teams’ fast\r\nresponse, we believe that this has been localized to a very small number of on-premises customers only.\r\nOur security, support R\u0026D, communications, and customer teams continue to work around the clock in all\r\ngeographies to resolve the issue and restore our customers to service.\r\nThis update provides further detail on the July 4, 2021 10:00AM EDT and earlier updates.\r\nOur efforts have shifted from root cause analysis and mitigating the vulnerability to beginning the execution of\r\nour service recovery plan.  This plan will consist of the following stages:\r\nCommunication of our phased recovery plan with SaaS customers first followed by on-premises customers.\r\nIn the spirit of responsible disclosure, Kaseya will be publishing a summary of the attack and what\r\nwe have done to mitigate it.\r\nSome lightly-used legacy VSA functionality will be removed as part of this release out of an\r\nabundance of caution. A specific list of the functionality and its impact on VSA capabilities will be\r\noutlined in the release notes.\r\nThere will be new security measures implemented including enhanced security monitoring of our\r\nSaaS servers by FireEye and enablement of enhanced WAF capabilities.\r\nWe have successfully completed an external Vulnerability Scan, checked our SaaS Databases for\r\nIndicators of Compromise, and have had external security experts review our code to ensure a\r\nsuccessful service restart.\r\nSaaS Restoration Timeline Updates\r\nOur executive committee will meet on July 5th at 5:00 AM UTC (12:00 AM EDT) to make a\r\nreadiness decision on restarting SaaS within the following time windows:\r\nEU, UK, \u0026 APAC Data Centers: July 5 – 9:00 AM UTC – 1:00 PM UTC  (4:00 AM EDT –\r\n8:00 AM EDT)\r\nNorth American Data Centers: July 5 – 5:00 PM EDT – 10:00 PM EDT\r\nhttps://www.kaseya.com/potential-attack-on-kaseya-vsa/\r\nPage 13 of 19\n\nThese times/dates are subject to change and a status update will be posted on the website by 1:00\r\nAM UTC as to whether we are adhering to the above schedule or not. If not, we will publish a\r\nrevised schedule at that time.\r\nFor our SaaS Users:\r\nWe will bring our SaaS data centers back online on a one-by-one basis starting with our EU, UK\r\nand APAC data centers followed by our North American data centers.\r\nWe will be adding an additional layer of security to our SaaS infrastructure which will change the\r\nunderlying IP addresses of our VSA servers.\r\nFor our On-Premises Users\r\nWe are currently building our on-premises release to make available to customers. We will begin the\r\ncommunication of the on-premises release process on July 5\r\nWe are working on a program to enable us to extend our new security measures to our on-premises\r\ncustomers. Most details for this will be available prior to the release of the on-premises patch.\r\nContinued Advisory\r\nAll on-premises VSA Servers should continue to remain offline until further instructions from Kaseya\r\nabout when it is safe to restore operations. A patch will be required to be installed prior to restarting the\r\nVSA and a set of recommendations on how to increase security posture.\r\nWe have been advised by our outside experts, that customers who experienced ransomware\r\nand receive communication from the attackers should not click on any links – they may be\r\nweaponized.\r\nThe new Compromise Detection Tool can be download at the following link: VSA Detection Tools.zip |\r\nPowered by Box  This tool analyzes a system (either VSA server or managed endpoint) and determines\r\nwhether any indicators of compromise (IoC) are present.\r\nJuly 4, 2021 - 10:00 AM EDT\r\nNext Update will be published July 4th in the early afternoon EDT\r\nKaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack.   Due to our teams’ fast\r\nresponse, we believe that this has been localized to a very small number of on-premises customers only.\r\nThis update provides further detail on the 1:30 PM EDT update. The changes are underlined for clarity.\r\nOur security, support communications, and customer teams continue to work around the clock in all geographies\r\nthrough the weekend to resolve the issue and restore our customers to service.\r\nThis update provides further detail on the July 3, 2021 7:30 PM EDT and 9:00 PM EDT updates. The changes are\r\nunderlined for clarity.\r\nContinued Advisory\r\nHosted VSA Servers will become operational once Kaseya has determined that we can safely restore\r\noperations. We are in the process of formulating a staged return to service of our SaaS server farms with\r\nhttps://www.kaseya.com/potential-attack-on-kaseya-vsa/\r\nPage 14 of 19\n\nrestricted functionality and a higher security posture (estimated in the next 24-48 hours but that is subject\r\nto change) on a geographic basis. More details on both the limitations, security posture changes, and time\r\nframe will be in the next communique later today.\r\nAll on-premises VSA Servers should continue to remain offline until further instructions from Kaseya\r\nabout when it is safe to restore operations. A patch will be required to be installed prior to restarting the\r\nVSA and a set of recommendations on how to increase security posture.\r\nWe have been advised by our outside experts, that customers who experienced ransomware\r\nand receive communication from the attackers should not click on any links as they may be\r\nweaponized.\r\nKey Points on Current Status\r\nThe new Compromise Detection Tool was rolled out last night to almost 900 customers who requested the\r\ntool. Based on feedback from customers, we will be publishing an update to the tool this morning that\r\nimproves its performance and usability. There are no changes that will require a re-run of the tool on\r\nsystems that have been scanned.\r\nThis new version of the Compromise Detection Tool will be automatically sent to customers who received\r\nthe first version. New requests can be made by sending an email to support@kaseya.com with the subject\r\n“Compromise Detection Tool Request”.\r\nWe will be opening up a private download site for end customers to get access to the Compromise\r\nDetection Tool once we have ensured the security, integrity, and trackability of the download process. More\r\nabout this in the next update.\r\nWe continue to work with FireEye Mandiant IR (a leading computer incident response firm) on the security\r\nincident. Our joint efforts have not identified any new IoCs since yesterday and we have deployed our\r\nCompromise Detection Tool at hundreds of customers. At this point, no “False Positives” have been\r\nreported by users. [Note: A “False Positive” indicates that the Compromise Detection Tool incorrectly\r\nclassifies a system as impacted when it wasn’t]\r\nWe have been actively engaged with FireEye and other security assessment firms to assess the manner and\r\nimpact of the attack to ensure that our R\u0026D organization has properly identified and mitigated the\r\nvulnerability. We are continuing the investigation in parallel with the remediation steps.\r\nR\u0026D has replicated the attack vector and the mitigation work is in progress. We expect to complete the\r\nwork in the next 24-48 hours and the testing is progressing in parallel.\r\nFred Voccola, CEO of Kaseya, was interviewed regarding this incident on Good Morning America on the\r\nABC network on Sunday, July 4th. The interview was significantly edited down from the full interview\r\nthat Fred gave. The short message was: “We are sure we know how it happened and we are remediating it.”\r\nWe have engaged with the FBI and DHS CISA and are working with them on an incident-handling process\r\nfor our worldwide customers impacted by the cyberattack. The following message will be posted to the FBI\r\nwebsite:\r\n““If you feel your systems have been compromised as a result of the Kaseya ransomware incident, we\r\nencourage you to employ all recommended mitigations, follow Kaseya’s guidance to shut down your VSA\r\nservers immediately, and report your compromise to the FBI at https://www.IC3.gov. Due to the potential\r\nscale of this incident, we may be unable to respond to each victim individually but all information we\r\nreceive will be useful in countering this threat.”\r\nhttps://www.kaseya.com/potential-attack-on-kaseya-vsa/\r\nPage 15 of 19\n\nAt this time, we believe that none of our NOC customers (neither SaaS nor on-premises) were affected by\r\nthe attack. We’re continuing to investigate, but no compromised NOC customers have been found as of\r\nJuly 4th at 10:00 AM EDT.\r\nKaseya executives are directly reaching out to impacted customers to understand their situations and what\r\nassistance is possible. If you believe that you have been impacted, please contact support@kaseya.com\r\nwith the subject “Security Incident Report.” There have been no new reports of compromises since our\r\nlast report yesterday. We are confident we understand the scope of the issue and are partnering with each\r\nclient to do everything possible to remediate. We believe that there is zero related risk right now for any\r\nVSA client who is a SaaS customer or on-premises VSA customer who has their server offline.\r\nJuly 3, 2021 - 9:00 PM EDT\r\nKaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack. Due to our teams’ fast\r\nresponse, we believe that this has been localized to a very small number of on-premises customers only.\r\nThis update provides further detail on the 1:30 PM EDT update. The changes are underlined for clarity.\r\nKey Points on Current Status:\r\nAll On-Premises VSA Servers should continue to remain offline until further instructions from Kaseya\r\nabout when it is safe to restore operations. A patch will be required to be installed prior to restarting the\r\nVSA. We plan to give our first time estimate in tomorrow morning’s update at approximately 9:00 AM\r\nEDT.\r\nSaaS \u0026 Hosted VSA Servers will become operational once Kaseya has determined that we can safely\r\nrestore operations.\r\nWe have been advised by our outside experts, that customers who experienced ransomware\r\nand receive communication from the attackers should not click on any links, as they may be\r\nweaponized.\r\nA Compromise Detection Tool will be available later this evening to Kaseya VSA customers by sending\r\nan email to support@kaseya.com with the subject “Compromise Detection Tool Request” from an email\r\naddress that is associated with a VSA customer.\r\nWith the availability of the Compromise Detection tool, we strongly recommend that compromised\r\ncustomers immediately begin the recovery process.\r\nFred Voccola, CEO of Kaseya, will be interviewed regarding this incident on Good Morning America on\r\nthe ABC network on Sunday, July 4th. Please consult your local TV listings for times in your region. (This\r\nis subject to last minute rescheduling by the network)\r\nKaseya executives are directly reaching out to impacted customers to understand their situations and what\r\nassistance is possible. If you believe that you have been impacted, please contact support@kaseya.com\r\nwith the subject “Security Incident Report.” There has been only one new report of a compromise\r\noccurring today due to a VSA on-premises server being left on. We are confident we understand the scope\r\nof the issue and are partnering with each client to do everything possible to remediate. We believe that\r\nthere is zero related risk right now for any VSA client who is a SaaS customer or on-prem VSA customer\r\nwho has their server off.\r\nhttps://www.kaseya.com/potential-attack-on-kaseya-vsa/\r\nPage 16 of 19\n\nWe have engaged a computer incident response firm (FireEye Mandiant IR) to identify the indicators of\r\ncompromise (IoCs) to ensure that we can identify which systems and data were accessed. We have\r\nidentified a set of preliminary IoCs and have been working with our affected customers to validate them.\r\nThe availability of the Compromise Detection Tool is based on our interactions with our outside experts.\r\nWe have been actively engaged with FireEye and other security assessment firms to assess the manner and\r\nimpact of the attack to ensure that our R\u0026D organization has properly identified and mitigated the\r\nvulnerability.\r\nR\u0026D has replicated the attack vector and is working on mitigating it. We have begun the process of\r\nremediating the code and will include regular status updates on our progress starting tomorrow morning.\r\nWe will begin working with select customers to field test the changes once we have completed the work\r\nand tested it thoroughly in our environment. We will not publish a resolution timeframe until we have\r\nthoroughly validated and tested the proposed solution.\r\nAt this time, we believe that none of our NOC customers (neither SaaS nor on-premises) were affected by\r\nthe attack. We’re continuing to investigate this, but no compromised NOC customers have been found as of\r\n7:00 PM EDT.\r\nWe have engaged with the FBI and are working with them on an incident-handling process for our\r\nworldwide customers impacted by the cyberattack.\r\nJuly 3, 2021 - 1:30 PM EDT\r\nKaseya is progressing on the security incident along multiple workstreams:\r\nSince the security of our customers is paramount, we are continuing to strongly recommend that our on-premises customers’ VSA servers remain offline until further notice. We will also keep our SaaS\r\nservers offline until further notice.\r\nWe have been advised by our outside experts, that customers who experienced ransomware and\r\nreceive communication from the attackers should not click on any links — they may be weaponized.\r\nWe have engaged with the FBI and are working with them on an incident handling process for our\r\nworldwide customers impacted by the cyberattack. We will be publishing a list of contacts later today.\r\nKaseya executives are directly reaching out to impacted customers to understand their situations and what\r\nassistance is possible. Anyone who believes they have been impacted should contact support@kaseya.com\r\nwith the subject “Security Incident Report.”\r\nWe continue to engage with industry experts to assess the manner and impact of the attack and ensure that\r\nour R\u0026D organization has properly identified and mitigated the vulnerability.\r\nR\u0026D has replicated the attack vector and is working on mitigating it. We will not publish a resolution\r\ntimeframe until we have thoroughly validated and tested the proposed solution. We appreciate our\r\ncustomers’ patience.\r\nWe have engaged a computer forensics firm to identify the indicators of compromise (IOCs) to ensure that\r\nwe can identify which systems and data were accessed.\r\nR\u0026D is working on a self-assessment tool for our customers, to enable them to definitively determine\r\nwhether they were affected. This will be published as part of the patch for on-premises customers.\r\nAt this time, we believe that none of our NOC customers (neither SaaS nor on-premises) were affected by the\r\nattack. We’re continuing to investigate this.\r\nhttps://www.kaseya.com/potential-attack-on-kaseya-vsa/\r\nPage 17 of 19\n\nALL ON-PREMISES VSA SERVERS SHOULD CONTINUE TO REMAIN OFFLINE UNTIL\r\nFURTHER INSTRUCTIONS FROM KASEYA ABOUT WHEN IT IS SAFE TO RESTORE\r\nOPERATIONS. A PATCH WILL BE REQUIRED TO BE INSTALLED PRIOR TO RESTARTING\r\nTHE VSA.\r\nSAAS \u0026 HOSTED VSA SERVERS WILL BECOME OPERATIONAL ONCE KASEYA HAS\r\nDETERMINED THAT WE CAN SAFELY RESTORE OPERATIONS.\r\nJuly 3, 2021 - 10:30 AM EDT\r\nKaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack. Due to our teams’ fast\r\nresponse, we believe that this has been localized to a very small number of on-premises customers only.\r\nSince the security of our customers is paramount, we are continuing to strongly recommend that our on-premises customers’ VSA servers remain down until further notice. We will also keep our SaaS servers offline\r\nuntil further notice.\r\nWe have been advised by our outside experts, that customers who experienced ransomware and receive a\r\ncommunication from the attackers should not click on any links – they may be weaponized.\r\nKaseya has been working around the clock to resolve this issue from a security assessment, client support, progress\r\nupdate, technical resolution, and return to operational status standpoint.\r\nA comprehensive update is in progress and will be published later this morning (EDT).   This communication will\r\ninclude prescriptive information on:\r\nThe external authorities (FBI, Incident Response Experts) that we have engaged and how we are leveraging\r\nthem for assistance;\r\nHow our customers can engage Kaseya for assistance and what we can do to help;\r\nHow to determine whether customers have been compromised;\r\nStatus updates from R\u0026D on the progress of the patch for on-premises users;\r\nThe plan to bring our SaaS and on-premises customers back online;\r\nA detailed description of the Security Incident process and current status;\r\nA schedule for communications updates;\r\nOther important information about the recovery process.\r\nOngoing updates will be provided every 3-4 hours or more often based on breaking details.\r\n1. ALL ON-PREMISEs VSA SERVERS SHOULD CONTINUE TO REMAIN OFFLINE UNTIL FURTHER\r\nINSTRUCTIONS FROM KASEYA.\r\n2. SAAS \u0026 HOSTED VSA SERVERS WILL BECOME OPERATIONAL ONCE KASEYA HAS\r\nDETERMINED THAT WE CAN SAFELY RESTORE OPERATIONS.\r\nJuly 2, 2021 - 10:00 PM EDT\r\nBeginning around mid-day (EDT/US) on Friday July 2, 2021, Kaseya’s Incident Response team learned of a\r\npotential security incident involving our VSA software.\r\nhttps://www.kaseya.com/potential-attack-on-kaseya-vsa/\r\nPage 18 of 19\n\nWe took swift actions to protect our customers:\r\nImmediately shut down our SaaS servers as a precautionary measure, even though we had not received any\r\nreports of compromise from any SaaS or hosted customers;\r\nImmediately notified our on-premises customers via email, in-product notices, and phone to shut down\r\ntheir VSA servers to prevent them from being compromised.\r\nWe then followed our established incident response process to determine the scope of the incident and the extent\r\nthat our customers were affected.\r\nWe engaged our internal incident response team and leading industry experts in forensic investigations to\r\nhelp us determine the root cause of the issue;\r\nWe notified law enforcement and government cybersecurity agencies, including the FBI and CISA.\r\nWhile our early indicators suggested that only a very small number of on-premises customers were affected, we\r\ntook a conservative approach in shutting down the SaaS servers to ensure we protected our more than 36,000\r\ncustomers to the best of our ability. We have received positive feedback from our customers on our rapid and\r\nproactive response.\r\nWhile our investigation is ongoing, to date we believe that:\r\nOur SaaS customers were never at-risk. We expect to restore service to those customers once we have\r\nconfirmed that they are not at risk, which we expect will be within the next 24 hours;\r\nOnly a very small percentage of our customers were affected – currently estimated at fewer than 40\r\nworldwide.\r\nWe believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for our\r\non-premises customers that will be tested thoroughly. We will release that patch as quickly as possible to get our\r\ncustomers back up and running.\r\nI am proud to report that our team had a plan in place to jump into action and executed that plan perfectly today.\r\nWe’ve heard from the vast majority of our customers that they experienced no issues at all, and I am grateful to\r\nour internal teams, outside experts, and industry partners who worked alongside of us to quickly bring this to a\r\nsuccessful outcome.\r\nToday’s actions are a testament to Kaseya’s unwavering commitment to put our customers first and provide the\r\nhighest level of support for our products.\r\nFred Voccola, CEO\r\nKaseya\r\nSource: https://www.kaseya.com/potential-attack-on-kaseya-vsa/\r\nhttps://www.kaseya.com/potential-attack-on-kaseya-vsa/\r\nPage 19 of 19\n\nVSA SaaS Update The first VSA SaaS deployment went live on Saturday July 17th US EDT for the following VSA SaaS instances:\nEU-SAAS03, EU-SAAS06, EU-SAAS11, EU-SAAS12, EU-SAAS16, EU-SAAS23, EU-SAAS24,\nEU-SAAS25, EU-SAAS28, EU-SAAS34, EU-SAAS39, EU-SAAS41 ,EU-SAAS43, US-NA1VSA01,\nUS-NA1VSA04, US-NA1VSA08, US- NA1VSA12, US -NA1VSA14, US -NA1VSA22, US-\nNA1VSA28, US-NA1VSA29, US-NA1VSA30, US-NA1VSA32, US-NA1VSA37, NA1VSA105, US-\nNA1VSA108, US-NA1VSA115, US-IAD2VSA02, US- IAD2VSA04 \nThe remainder of the VSA SaaS instances will be updated tonight (July 19th) 8PM and 4AM US EDT.\nVSA On-Premises Update: \nThe VSA On-Premises Patch will be released to customers and posted to the download site by 4:30PM US EDT\ntoday. \nJuly 16, 2021 -7:00 PM EDT \nVSA 9.5.7.3011 Maintenance Patch Release Update \nKaseya will be releasing patch 9.5.7.3011 which remediates functionality issues caused by the enhanced security\nmeasures put in place and provides bug fixes (this is not a security release). (this is not a security release). The\nfull release notes with the fixes are available at: https://helpdesk.kaseya.com/hc/en-gb/articles/4404146456209. \nThe patch is planned to be available for VSA On-Premises customers by Monday July 19th end of day.\nThe first VSA SaaS deployment is planned for Saturday July 17th between 7AM and 11AM US EDT for the\nfollowing VSA SaaS instances: EU-SAAS03, EU-SAAS06, EU-SAAS11, EU-SAAS12, EU-SAAS16,\nEU-SAAS23, EU-SAAS24, EU-SAAS25, EU-SAAS28, EU-SAAS34, EU-SAAS39, EU-SAAS41\n,EU-SAAS43, US-NA1VSA01, US-NA1VSA04, US- NA1VSA08, US -NA1VSA12, US-NA1VSA14,\nUS-NA1VSA22, US-NA1VSA28, US- NA1VSA29, US -NA1VSA30, US -NA1VSA32, US-\nNA1VSA37, NA1VSA105, US-NA1VSA108, US-NA1VSA115, US-IAD2VSA02, US -IAD2VSA04\nThe remainder of the VSA SaaS instances are planned for deployment between 8PM and 4AM US EDT on\nMonday July 19th . \nJuly 14, 2021 -5:00 PM EDT \nVSA Install Patch Check \n Page 2 of 19 \n\nGood progress July 6, 2021 being made. The - 12:00 PM EDT next update will be posted by 6:00 PM. \nNext Update is planned to be published July 6th between 2:00 PM and 5:00 PM EDT.\n Page 8 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.kaseya.com/potential-attack-on-kaseya-vsa/" ], "report_names": [ "potential-attack-on-kaseya-vsa" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434482, "ts_updated_at": 1775792128, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1ec94952eb287e0765db86bd8cb730aae6670706.pdf", "text": "https://archive.orkl.eu/1ec94952eb287e0765db86bd8cb730aae6670706.txt", "img": "https://archive.orkl.eu/1ec94952eb287e0765db86bd8cb730aae6670706.jpg" } }