Cyber Incident Victim: Ensinger Plastics
Date:
Jul 2021
Location:
United States of America
Summary
Ensinger Plastics was impacted by a ransomware attack targeting a managed service provider platform, compromising its infrastructure to deploy malicious updates that encrypted files across enterprise networks. The perpetrators demanded $70 million in Bitcoin for decryption. Following law enforcement pressure, the gang's infrastructure temporarily went offline, but later resurfaced with unclear operational status. A universal decryptor was subsequently obtained, enabling affected organizations to recover their data without paying the ransom.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 2, 2021, the REvil ransomware gang executed a supply-chain attack targeting Kaseya’s cloud-based Managed Service Provider (MSP) platform. The attackers initially compromised Kaseya VSA’s infrastructure, then weaponized the platform’s update mechanism to distribute malicious payloads to on-premise servers. This malicious update deployment led to the encryption of files across enterprise networks managed by affected MSPs and their downstream customers. REvil demanded a single ransom payment of $70 million in Bitcoin to provide a universal decryption key for all impacted systems. The attack’s scale drew immediate attention from global media outlets and law enforcement agencies, intensifying scrutiny on the threat actors. Kaseya’s VSA platform served as a critical IT management tool for numerous MSPs, amplifying the operational disruption across multiple organizations simultaneously. While the exact number of compromised endpoints wasn’t disclosed, the incident represented one of the largest ransomware campaigns observed at the time due to its supply-chain vector.
REvil’s infrastructure, including their Tor-based leak site (“Happy Blog”) and payment portal (decoder[.]re), abruptly went offline on July 13, 2021, approximately eleven days after the Kaseya attack. This simultaneous takedown of backend systems and public-facing sites occurred amid heightened law enforcement activity but lacked official confirmation regarding its cause. On July 22, Kaseya announced it had obtained a universal decryptor through a “trusted third-party,” enabling affected organizations to restore files without paying the ransom. The decryptor’s origin remained unspecified in available reporting. By September 7, 2021, REvil’s leak site unexpectedly reappeared online, though it displayed no new victim entries at the time of observation. The gang’s operational status during this reemergence remained unverified, with conflicting possibilities including law enforcement interference or voluntary reactivation by the threat actors. The Kaseya incident demonstrated REvil’s continued focus on high-impact supply-chain compromises despite subsequent infrastructure instability.