Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management

List of Victims of Kaseya Ransomware Attack Grows

2 Maryland Towns Report Malware on Their Networks
List of Victims of Kaseya Ransomware Attack Grows
REvil's darknet announcement offering a decryptor for sale (Source: Trustwave)

Two small Maryland towns are among the latest victims to come to light almost a week after the REvil ransomware supply chain attack that targeted Kaseya's VSA remote IT management software. The company says the attack on on-premises VSA installations affected about 60 of its managed service provider customers and up to 1,500 of their clients.

See Also: How to Hunt Threats Like Elite Defenders with Open NDR + MITRE ATT&CK®

North Beach and Leonardtown both said Kaseya's software installed on their networks by their MSPs was targeted by ransomware attacks on July 2. Among others identified as victims of the ransomware attack on VSA are the Swedish grocery chain Coop and 100 kindergartens and 11 schools in New Zealand.

North Beach and Leonardtown, both southeast of Washington, say their computer systems went down at 12:30 p.m. on July 2, the day the Kaseya attack was revealed.

The ransomware reached Leonardtown through its MSP, JustTech, The Washington Post reports. North Beach officials also confirmed in a statement that VSA software was present on its network, but they did not specify the MSP involved.

Leonardtown officials say the town's entire network was encrypted, and the attackers demanded an unstated ransom for the decryptor key, but the town refused to pay and was able to restore its system through backups. North Beach did not comment on whether its attackers demanded a ransom.

REvil initially demanded a $70 million ransom for a universal decryptor for use by all victims, but the demand was quickly lowered to $50 million.

The Downstream Impact

Cybersecurity analysts say it's likely that a substantial number of additional victims will come to light in the coming days, pointing to similar revelations after other recent supply chain attacks, such as those affecting SolarWinds and Accellion.

”We are slowly collecting victim data from open-source reporting; right now we have about a dozen, but we expect that number will grow over the next few days,” says Allan Liska, an intelligence analyst at Recorded Future.

Mark Loman, the director of engineering at Sophos who has been immersed in studying the scope and impact of the Kaseya supply chain attack, says it's the largest ransomware incident he's seen, likely affecting organizations worldwide.

The SolarWinds attack ultimately affected 18,000 users of the Orion network monitoring platform and resulted in follow-on attacks on nine government agencies and 100 companies.

Months after the December 2020 cyberattack on Accellion's File Transfer Appliance, the identities of more organizations affected are still being revealed.

For example, on July 2, Morgan Stanley informed the New Hampshire attorney general of a data breach caused by the Accellion FTA vulnerability.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.