Kaseya plans to bring SaaS servers back online Tuesday, with patch expected within a day later

  • Network cables are plugged in a server room in New York City. A patch for on-premises customers of the Kaseya VSA product that was the source of a widespread ransomware attack since Friday is currently going through the testing and validation process. (Photo by Michael Bocchieri/Getty Images)

    A patch for on-premises customers of the Kaseya VSA product that was the source of a widespread ransomware attack since Friday is currently going through the testing and validation process, the company said Monday.

    The patch will likely be made available within 24 hours after Kaseya servers supporting its software-as-a-service offering have been brought up, which the company currently expects to happen between 2 p.m. and 5 p.m. Tuesday. Results of testing and evaluation could impact that timeline, the update posted to the Kaseya website noted.

    Click here for the latest news on the Kaseya cyberattack.

    VSA will be brought online with staged functionality, with the first release preventing access to functionality used by “a very small fraction” of the user base, including: classic ticketing, classic remote control (not LiveConnect), and the user portal.

    “Kaseya met with the FBI/CISA tonight to discuss systems and network hardening requirements prior to service restoration for both SaaS and on-premises customers, the Monday night update noted. “A set of requirements will be posted prior to service restart to give our customers time to put these counter measures in place in anticipation of a return to service” July 6.

    A new version of the Compromise Detection Tool can be downloaded at VSA Detection Tools.zip | Powered by Box for identify any indicators of compromise are present for a system (either VSA server or managed endpoint). Specifically, the tool searches for the IOC, data encryption, and the REvil ransom note. “We recommend that you re-run this procedure to better determine if the system was compromised by REvil,” the update noted, adding that 2,000 customers have downloaded this tool since Friday.

    The ransomware offensive from a REvil affiliate targeting Kaseya VSA’s on-premises customers exploited two zero-day bugs in the code – an authentication bypass and one of several SQL injections, according to research from Huntress Labs. Kaseya quickly shut down the SaaS version of VSA as a precaution and told on-premises users to shut down its service.