Kaseya was informed of a major cybersecurity hole in its IT management software in early April, three months before a ransomware group took hostage its information systems in an ongoing attack, The Wall Street Journal reported July 7.
The REvil ransomware gang attacked Kaseya's systems July 2, affecting about 50 of the company's customers and at least 200 companies in the U.S., according to Newsweek.
The Dutch Institute for Vulnerability Disclosure, a volunteer-run security group, told the Journal it discovered and alerted Kaseya of the vulnerability in its systems April 6. "When we discovered the vulnerabilities in early April, it was evident to us that we could not let these vulnerabilities fall into the wrong hands," the institute said in a blog post. "After some deliberation, we decided that informing the vendor and awaiting the delivery of a patch was the right thing to do."
Kaseya declined the Journal's comment request regarding the timeline of the flaw discovery but said that the Dutch Institute for Vulnerability Disclosure "has been a great partner" and they "value the service they provide."
The flaw the Dutch group reported was one of seven vulnerabilities the group reported to Kaseya concerning its software. Security researchers who discover software flaws often notify the companies discreetly to allow them to create a patch to fix the issue before hackers are made aware and take advantage of the vulnerability.
The Dutch group's Chairman Victor Gevers told the Journal that Kaseya responded quickly once it was notified of the vulnerabilities in its software and quickly issued two patches in April and May to address some of the security issues. However, the company is still working to fully patch its VSA software.
REvil is requesting $70 million to unlock all the systems, but victims have been told they can pay varying amounts between $25,000 and $5 million directly to REvil to unlock their systems if nobody pays the $70 million, according to the report. REvil said that upon payment, they will release a "universal decryptor" that would unlock computers that had been encrypted and compromised by the attack, according to a July 4 note posted to the group's website.