Cyber Incident Victim: South Carolina Legal Services
Date:
Jul 2021
Location:
United States of America
Summary
The REvil ransomware gang compromised a cloud-based MSP platform's infrastructure, deploying malicious updates to on-premise servers that spread ransomware across managed service providers and their clients. Attackers demanded $70 million in Bitcoin for a universal decryptor following the supply-chain attack, which drew significant law enforcement attention. The group's infrastructure subsequently went offline for approximately two months before unexpectedly reappearing, though their operational status remained unclear. A third-party later provided the affected company with a decryption tool, enabling victims to restore files without paying the ransom. The gang's dark web leak site resumed operations without listing new victims at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The REvil ransomware gang executed a supply-chain attack targeting Kaseya's cloud-based MSP platform on July 2, 2021. Attackers compromised Kaseya VSA's infrastructure to distribute malicious updates to on-premise servers, deploying ransomware across enterprise networks managed by MSPs and their downstream customers. The operation leveraged Kaseya's centralized management tools to propagate encryption payloads at scale. REvil demanded $70 million in Bitcoin for a universal decryptor to restore all affected systems, marking one of the largest ransomware demands at the time. The attack drew immediate media attention and intensified law enforcement scrutiny due to its broad impact on MSP providers and their client ecosystems.
Kaseya's incident response included collaboration with law enforcement and cybersecurity agencies to mitigate the attack. On July 13, REvil's infrastructure—including Tor leak sites, payment portals, and backend servers—abruptly went offline simultaneously, though the cause remained unclear. Potential explanations included voluntary shutdown due to law enforcement pressure or infrastructure seizure by authorities. By July 22, Kaseya obtained a universal decryptor through a trusted third party, enabling free file recovery for victims. REvil's infrastructure partially reemerged on September 7, 2021, when their dark web leak site became accessible again, though no new victim announcements appeared. The gang's payment site and backend systems remained offline during this reappearance, leaving their operational status uncertain.