Technology Provider Kaseya Warns of Cyberattack

The tool is used by managed service providers, which typically handle technology for dozens of smaller companies that may not have resources to staff in-house technology teams. Corporate and government tech groups also use the tool.

“It’s critical that you do this immediately, because one of the first things the attacker does is shut off administrative access to the VSA,” Kaseya warned in a notice posted to its support website.

A spokeswoman said Kaseya wasn’t the victim of a ransomware attack and that it was investigating “potential attacks on our VSA customers who have the software on-premise.” The company has shut down its cloud services out of caution, she said.

Incident response companies, including Huntress Labs Inc., said they were working with multiple service providers that had been affected by the attack in the U.S. and abroad.

Huntress has seen proof that once a service provider is infected via VSA, ransomware then spreads to client systems, said John Hammond, a senior security researcher with the company.

At least three managed service providers Huntress works with are affected, with around 200 businesses subsequently encrypted by ransomware, he said, adding that he has seen ransom demands of up to $5 million.

Ransomware gangs often launch attacks on Friday afternoons and before holiday weekends, when staff are likely to be out of the office and security teams minimally staffed, according to security experts.

They have long expressed concern that hacks of managed services providers or their supply chains could have a cascade effect, allowing hackers to infect dozens or more companies through a breach of one provider.

A hack in December of a file transfer tool of tech provider Accellion Inc. rippled to organizations in several countries, including New Zealand’s central bank, conglomerate

Singapore Telecommunications Ltd.

and U.S. law firm Jones Day.

Customers of software provider

SolarWinds Inc.

began unknowingly installing malware in Spring 2020 through seemingly routine updates to a network-management tool. U.S. officials blame Russian hackers for the attack that has reached into dozens of businesses and government agencies. Russia has denied involvement.

The Cybersecurity and Infrastructure Security Agency, part of the U.S. Department of Homeland Security, said in an alert published late Friday that it was “taking action to understand and address” the attack on Kaseya’s VSA platform. A spokesman for the agency didn’t immediately respond to a request for comment on whether it was working directly with Kaseya.

Write to James Rundle at james.rundle@wsj.com