{
	"id": "aa1455d2-7058-4151-9b8e-3f2f689a24c9",
	"created_at": "2026-04-06T00:15:00.660003Z",
	"updated_at": "2026-04-10T13:12:32.811041Z",
	"deleted_at": null,
	"sha1_hash": "d8c5d8ef0f7400c45d90455401cedb97b84c6f98",
	"title": "CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45011,
	"plain_text": "CISA-FBI Guidance for MSPs and their Customers Affected by the\r\nKaseya VSA Supply-Chain Ransomware Attack | CISA\r\nPublished: 2021-07-06 · Archived: 2026-04-05 22:55:49 UTC\r\nCISA and the Federal Bureau of Investigation (FBI) continue to respond to the recent supply-chain ransomware\r\nattack leveraging a vulnerability in Kaseya VSA software against multiple managed service providers (MSPs) and\r\ntheir customers. CISA and FBI strongly urge affected MSPs and their customers to follow the guidance below.\r\nCISA and FBI recommend affected MSPs:\r\nDownload the Kaseya VSA Detection Tool . This tool analyzes a system (either VSA server or managed\r\nendpoint) and determines whether any indicators of compromise (IOCs) are present.    \r\nEnable and enforce multi-factor authentication (MFA) on every single account that is under the control of\r\nthe organization, and—to the maximum extent possible—enable and enforce MFA for customer-facing\r\nservices.\r\nImplement allowlisting to limit communication with remote monitoring and management (RMM)\r\ncapabilities to known IP address pairs, and/or\r\nPlace administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a\r\ndedicated administrative network.\r\nCISA and FBI recommend MSP customers affected by this attack take immediate action to implement the\r\nfollowing cybersecurity best practices. Note: these actions are especially important for MSP customers who do\r\nnot currently have their RMM service running due to the Kaseya attack.\r\nCISA and FBI recommend affected MSP customers:\r\nEnsure backups are up to date and stored in an easily retrievable location that is air-gapped from the\r\norganizational network;\r\nRevert to a manual patch management process that follows vendor remediation guidance, including the\r\ninstallation of new patches as soon as they become available;\r\nImplement:\r\nMulti-factor authentication; and\r\nPrinciple of least privilege on key network resources admin accounts.\r\nResources:\r\nCISA and FBI provide these resources for the reader’s awareness.  CISA and FBI do not endorse any non-governmental entities nor guarantee the accuracy of the linked resources.\r\nFor the latest guidance from Kaseya, see Kaseya's Important Notice July 3rd, 2021 .\r\nFor indicators of compromise, see Peter Lowe's GitHub page REvil Kaseya CnC Domains . Note: due to\r\nthe urgency to share this information, CISA and FBI have not yet validated this content.\r\nhttps://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa\r\nPage 1 of 2\n\nFor guidance specific to this incident from the cybersecurity community, see Cado Security's GitHub page,\r\nResources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack .\r\nNote: due to the urgency to share this information, CISA and FBI have not yet validated this content.\r\nFor advice from the cybersecurity community on securing against MSP ransomware attacks, see Gavin\r\nStone's article, How secure is your RMM, and what can you do to better secure it? .\r\nFor general incident response guidance, CISA encourages users and administrators to see Joint\r\nCybersecurity Advisory AA20-245A: Technical Approaches to Uncovering and Remediating Malicious\r\nActivity.\r\nSource: https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa\r\nhttps://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa"
	],
	"report_names": [
		"cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa"
	],
	"threat_actors": [],
	"ts_created_at": 1775434500,
	"ts_updated_at": 1775826752,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d8c5d8ef0f7400c45d90455401cedb97b84c6f98.pdf",
		"text": "https://archive.orkl.eu/d8c5d8ef0f7400c45d90455401cedb97b84c6f98.txt",
		"img": "https://archive.orkl.eu/d8c5d8ef0f7400c45d90455401cedb97b84c6f98.jpg"
	}
}