On July 2, 2021,  Kaseya disclosed an active attack against customers using its VSA product , and urged all on-premise customers to switch-off Kaseya VSA. Shortly before this alert,  users on Reddit started describing ransomware incidents  against managed security providers (MSPs), and the common thread among them was on-premise VSA deployments. In the hours to follow, several indicators of compromise (IOCs) were released, and Akamai was able to observe some of that traffic. A patch for the VSA product was released by Kaseya on July 11. \n The attack: \n The attackers, affiliates of the REvil ransomware group, exploited authentication bypass and arbitrary command execution vulnerabilities ( CVE-2021-30116 ) that enabled them to distribute ransomware encryptors to targeted systems. In order to assist defenders,  Kaseya released a number of IOCs  related to the ransomware attacks .…