CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack

Importance: High


CISA has released (TLP:WHITE) Current Activity: CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack


CISA and the FBI continue to respond to the recent supply-chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple managed service providers (MSPs) and their customers. CISA and FBI strongly urge affected MSPs and their customers to follow the guidance below.


CISA and FBI recommend affected MSPs:


  • Contact Kaseya at with the subject “Compromise Detection Tool Request” to obtain and run Kaseya's Compromise Detection Tool, available to Kaseya VSA customers. The tool is designed to help MSPs assess the status of their systems and their customers' systems.
  • Enable/enforce multi-factor authentication (MFA) on every account under the control of the organization, and—to the maximum extent possible—enable and enforce MFA for customer-facing services.
  • Implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or
  • Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.

CISA and FBI recommend affected MSP customers:


These actions are especially important for MSP customers who do not currently have their RMM service running due to the Kaseya attack.

  • Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network.
  • Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available.
  • Implement multi-factor authentication and principle of least privilege on key network resource admin accounts.


CISA and FBI provide the following resources for awareness. CISA and FBI do not endorse any non-governmental entities nor guarantee the accuracy of the linked resources.


We kindly request any incidents related to this campaign be reported to the FBI Internet Crime Complaint Center (IC3) at (Click “File a Complaint”).


Steve Lyddon

Protective Security Advisor, Region 5, Illinois

Cybersecurity and Infrastructure Security Agency

Cell:  217-299-3954 |