Kaseya Incident Recovery Dashboard
Updated July 27 at 3:00 p.m. CDT
ONX has fully tested the third-party decryption tool for systems encrypted by the REvil cyberattack of the Kaseya VSA module. After testing it at the file, folder, and system level, we are confident in the efficiency and results of the tool and are deploying it where advisable to assist in client system recovery efforts.
Updated July 23 at 1:05 p.m. CDT
You may have heard that Kaseya recently received a tool from a trusted third party to assist their customers in restoring client systems. ONX is actively testing the Kaseya tool to see what efficiency and effectiveness gains are possible for our clients, and will update our clients as more information becomes available.
Updated July 22 at 9:30 a.m. CDT
How Did This Happen?
On July 2, 2021, one of the backbone software modules that ONX, and thousands of other Managed Service Providers (MSPs), uses to monitor and manage servers and workstations was the victim of a coordinated, highly sophisticated cyberattack committed on a global scale. Unlike localized ransomware attacks that often originate through clicking on a malicious link or unknowingly visiting a malware site, this unprecedented attack originated outside our network and outside your systems, too.
Once the Kaseya Virtual Systems Administrator (VSA) module for Remote Managing and Monitoring (RMM) was successfully breached by the REvil hacker group, the malicious code was then pushed from the “mothership” of Kaseya to MSPs using the module, then through MSPs like ONX to all our clients’ servers and workstations.
In the same way you likely wouldn’t question an expected fee from your bank showing up in your online banking account, MSP servers did not question code from the Kaseya VSA RMM tool when it came through — it was normal, expected and from a trusted source. In this case, it was from THE source.
While Kaseya did recognize what happened and shut down their VSA module to prevent further infiltration and encryption within a very short time frame, for many MSPs, including ONX, the damage was done.
What Happens Now?
From the moment ONX became aware that the VSA module was compromised, we’ve been working around the clock to restore our clients to full functionality – first their servers, then their workstations. ONX staff worked through the holiday weekend after the attack and have been working every evening and weekend since because we know how vital your systems are and how painful it is as a business when they aren’t operating properly. It’s an ongoing process of executing every client’s disaster recovery plan simultaneously — and we’re going to keep at it until every system is back online and fully functioning.
When you’ve built a business on taking care of clients and preventing IT headaches and issues… and suddenly your clients are experiencing IT migraines that you cannot swiftly reboot out of existence — well, we take this situation seriously. We want you to know we won’t stop until the work is done. To maintain complete transparency with our clients during this time, we’ve built this dashboard to outline our recovery strategy and ensure you can see – in real time – our efforts to return every client to full functionality.
- Phase 1 – Return every server to basic functionality
- Phase 2 – Return every workstation to full functionality *
* A system is considered fully functional once servers and workstations are operating as expected and a client is able to operate normally, using their technology, systems, and processes in the same way they did before the Kaseya incident.
We want you to know that we will be increasing our communication frequency, beginning immediately, and that the entire ONX team is here to answer your questions and help you as we all recover from this unprecedented global attack.
Beyond recovery, Kaseya has been working with the FBI, Homeland Security, and two of the best software security firms in the world, FireEye and Huntress, to assess their VSA and other modules and address any potential issues. This process is called “hardening” software, and Kaseya has committed all necessary resources to harden their platform and assist MSPs with recovery efforts for their customers. Up to one million workstations worldwide were affected by the attack on Kaseya, meaning their commitment level to recovery and moving forward in the most secure way possible extends beyond ONX, beyond Kaseya and beyond the borders of the US. As information becomes available, we will continue to update you on our progress, Kaseya’s progress, and the overall path forward.
We continue to believe that Kaseya is the right product for enabling headache-free managed IT services for our customers and that this process of scrutiny and hardening will result in an even stronger, more secure product moving forward.
If you have any questions relating to the Kaseya incident, please email us at firstname.lastname@example.org.