Cyber Incident Victim: Kaseya
Date:
Jul 2021
Location:
United States of America
Summary
A REvil ransomware supply-chain attack exploited a vulnerability in Kaseya's VSA platform, impacting over 1,000 companies by targeting managed service providers (MSPs) and their downstream customers. The attackers deployed malicious files, including a signed executable that disabled security measures and encrypted devices, while demanding ransoms up to $5 million for MSPs and smaller sums for individual clients. The incident prompted an urgent shutdown advisory for VSA servers and highlighted MSPs' systemic risk due to their centralized management role, with the ransomware leveraging PowerShell commands and registry modifications to propagate across networks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The REvil ransomware gang executed a large-scale supply-chain attack targeting Kaseya's VSA cloud-based MSP platform on July 2, 2021, impacting over 1,000 companies through compromised managed service providers. Attackers exploited an unidentified vulnerability in Kaseya VSA, which MSPs use for client monitoring and patch management, to distribute ransomware to both the service providers and their customers. Eight major MSPs were confirmed compromised, with evidence showing downstream encryption of their clients' systems. The attack commenced midday on a Friday, strategically timed before the July 4th holiday weekend when reduced staffing could hinder response efforts. REvil deployed ransomware payloads by dropping a malicious agent.crt file containing PowerShell commands to disable security protections, followed by execution of a signed agent.exe file that extracted embedded components ("MsMpEng.exe" and "mpsvc.dll") to encrypt devices. Some variants altered registry keys, including one adding configuration data referencing "BlackLivesMatter." Kaseya responded within hours by issuing a global advisory instructing all VSA customers to immediately shut down their servers to contain further propagation while investigations continued.
The ransomware demanded $5 million for a universal decryptor, while individual MSP customers received smaller ransom notes of $44,999. Although REvil typically exfiltrates data before encryption, the article did not confirm data theft in this incident. Forensic analysis confirmed the attack's path through Kaseya's infrastructure, with Huntress Labs verifying the compromise chain affecting MSP clients. Kaseya's CEO publicly acknowledged the exploitation of a VSA vulnerability and committed to releasing a security patch, though no timeline was provided in the initial disclosure. The incident underscored systemic risks in the MSP ecosystem, where compromising a single vendor enabled cascading encryption across multiple client networks. Financial losses stemmed from both ransom demands and operational disruption during a peak business period, though specific damage estimates weren't quantified in the source material. Containment relied primarily on isolation of affected VSA servers pending remediation guidance.