The recent ransomware attack against the software firm Kaseya, which has impacted thousands of organizations worldwide that depend on the company’s network management software, reached Virginia Tech, where IT administrators this week shut down about 600 computers around its Blacksburg, Virginia, campus.
According to a notice Wednesday from the university’s tech division, the affected computers were connected to Kaseya’s VSA software, a platform used by managed service providers, which was targeted by members of the REvil ransomware gang.
While Virginia Tech was not a direct target of the cyber criminals, the Kaseya attack has had many downstream effects as the malware spread to MSPs and other Kaseya customers, some of which have in turn passed it on to their own clients, as happened in two small towns in Maryland.
Virginia Tech has been a Kaseya customer for several years, with the school’s IT help desk using the VSA platform to offer remote support and distribute software patches, according to a 2018 case study published by the company.
“As part of Virginia Tech’s immediate response, the Kaseya VSA application was shut down, effectively stopping any additional spread of the ransomware,” the update from the school’s IT department read. “Division of IT and departmental IT personnel have been working to recover data from backups and restore critical systems affected by the breach as quickly as possible.”
The 600 computers affected are being re-imaged to “remove any traces of the ransomware” and scanned with antivirus software and another program that identifies sensitive data. The IT division also reminded Virginia Tech’s community of students and faculty to back up their data offline and run antivirus programs.
Kaseya has said that at least 1,500 organizations may be impacted globally, though the Russia-based REvil gang — which has asked for a collective ransom of $70 million in cryptocurrency — has claimed there may be 1 million systems affected. The United States has in recent months attempted to apply pressure to Russia for giving safe harbor to non-state cybercriminals like the REvil operators, especially in light of other high-profile ransomware attacks against the Colonial Pipeline and the meat supplier JBS, the latter of which last month paid REvil affiliates $11 million for a decryption key.
White House Press Secretary Jen Psaki said earlier this week that “if the Russian government cannot or will not take action against criminal actors in Russia, we will take action or reserve the right.”