Kaseya Ransomware Attack: Free Questionnaire to Assess Third-Party Risk

1) Has the organization been impacted by the recent Kaseya VSA Supply-Chain Ransomware Attack?

(Please select one.)

Help text: This relates to the recent ransomware attack on the Kaseya VSA RMM Tool.

a) Yes, we have been impacted as a result of the recent Kaseya VSA Supply-Chain Ransomware Attack.

b) No, we have not been impacted as a result of the recent Kaseya VSA Supply-Chain Ransomware Attack.

2) As a result of this ransomware attack, has the organization identified and shut down any on-premise VSA servers?

(Please select one.)

a) Yes, the organization has shut down potentially affected on-premise VSA servers.

b) No, the organization has not currently shut down any potentially affected on-premises VSA servers.

c) The organization does not have any on-premise VSA servers.

3) Is the organization a Kaseya RMM managed service provider (MSP) or a customer of a managed service provider?

(Please select one.)

a) The organization is a managed service provider (MSP) of the Kaseya VSA RMM tool.

b) The organization is a customer of a Kaseya RMM managed service provider (MSP).

4) If the organization is a Kaseya RMM managed service provider, have the following actions been taken?

(Please select all that apply.)

Help text: The Kaseya VSA detection tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present.

a) We have downloaded the Kaseya VSA Detection Tool.

b) We have enforced and enabled multi-factor authentication (MFA) on every account that is under the control of the organization.

c) We have enforced and enabled MFA for customer-facing services.

d) We have implemented allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs.

e) We have placed administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.

5) If the organization is a customer of a Kaseya RMM managed service provider, have the following actions been taken?

(Please select all that apply.)

Help text: The following cybersecurity best practices are recommended, particularly where MSP customers do not currently have RMM services running due to the Kaseya attack.

a) We have ensured that backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network.

b) We have implemented a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available.

c) We have implemented multi-factor authentication on key network resource admin accounts.

d) We have implemented the principle of least privilege on key network resources admin accounts.

6) Does the organization have an incident investigation and response plan in place?

(Please select all that apply.)

Help text: Procedures for monitoring, detecting, analyzing and reporting of information security events and incidents should be in place, and allow an organization to develop a clear response strategy to handling identified incidents and events.

a) The organization has a documented incident management policy.

b) The incident management policy includes rules for reporting information security events and weaknesses.

c) An incident response plan is developed as part of incident investigation and recovery.

d) Incident response planning includes escalation procedures to internal parties and communication procedures to clients.

7) Who is the point of contact who can answer additional queries?

Name:

Title:

Email:

Phone:

8) What is the level of impact to client systems and data following this attack?

(Please select one.)

Help Text:

Consideration should be given to level of impact on the availability and confidentiality to client information or systems.

Significant impact: The Kaseya VSA ransomware attack has caused client systems to stop working or become unavailable. There has been a loss of confidentiality or integrity of data.

High impact: Service availability to client systems has been periodically lost, and there is the potential for some systems to periodically stop. There has been some loss of confidentiality or integrity of data.

Low impact: No loss of confidentiality or integrity of data, and minimal or no disruption to service availability.

a) There has been no impact to client systems or data following this attack.

b) There has been a low impact to client systems or data following this attack.

c) There is a high level of impact to client systems or data following this attack.

d) There has been significant impact to client systems or data following this attack.