Kaseya VSA — REvil supply-chain ransomware

What happened

On 2 July 2021 — the Friday before the US Independence Day holiday weekend — REvil affiliates began exploiting a zero-day authentication-bypass vulnerability in Kaseya VSA, a remote monitoring and management (RMM) platform used by managed service providers (MSPs) to remotely administer their clients’ IT environments. The attack was a textbook supply-chain intrusion: rather than attacking individual businesses, the attackers compromised the tool that MSPs used to manage thousands of businesses, allowing a single point of exploitation to propagate ransomware to a vast number of downstream victims simultaneously.

Within hours of the attack beginning, approximately 50 MSPs found their VSA servers weaponised. Through those MSP servers, ransomware was pushed to the computers of approximately 1,500 of their downstream business clients across multiple countries. Victims ranged from small businesses to large organisations in retail, healthcare, financial services, and other sectors. One of the most visible impacts came in Sweden, where Coop — a major supermarket chain with approximately 800 stores — had to close for several days because its point-of-sale terminals, managed through a VSA-dependent MSP, were encrypted and inoperable.

REvil demanded $70 million for a universal decryptor that would unlock all affected organisations simultaneously. Kaseya shut down its SaaS VSA platform and advised all on-premises VSA users to take their servers offline immediately. The company worked with Mandiant and other security firms on the investigation and remediation. Patches for the vulnerabilities were released on 11 July. On 22 July, Kaseya announced it had obtained a universal decryptor and began distributing it to affected organisations. The source of the decryptor was never publicly disclosed; reporting suggested it came from a third-party undisclosed source, widely suspected to be a law enforcement or intelligence service.

How it worked

The vulnerability exploited by REvil affiliates was CVE-2021-30116, an authentication bypass flaw in Kaseya VSA’s web-based management interface. The flaw allowed an unauthenticated attacker to upload and execute arbitrary code via the VSA server’s web interface without logging in. Critically, the Dutch Institute for Vulnerability Disclosure (DIVD) had identified the vulnerability and was working with Kaseya on a coordinated disclosure and patch process. The REvil affiliates exploited the vulnerability before Kaseya could complete patching and distribute the fix — a window that DIVD’s research, REvil’s intelligence operations, or parallel discovery may have created.

Once inside a VSA server, the attackers used the legitimate VSA agent management functionality — the same mechanism MSPs use to push software updates and scripts to managed endpoints — to distribute a malicious package. The package contained a legitimate signed Kaseya agent file (used to disable Windows Defender and other security tools), a legitimate outdated but signed version of the Windows Defender binary (used in a DLL side-loading technique to bypass security controls), and the REvil ransomware payload. The use of signed, legitimate binaries was a deliberate technique to evade endpoint detection that relied on file signing as a trust signal.

The attack’s scale was a product of the MSP supply-chain architecture: each VSA server managed potentially hundreds of client endpoints. A single compromised MSP server therefore functioned as an amplifier, turning one intrusion into hundreds or thousands of ransomware deployments. The 50 MSP servers compromised represented only a fraction of Kaseya’s customer base; the attack’s reach was limited primarily by the speed at which Kaseya could notify customers and get VSA servers taken offline.

The holiday weekend timing was not coincidental. REvil had previously launched the JBS attack over the Memorial Day weekend. The Independence Day weekend reduced incident response staffing across IT teams and MSPs globally, extending the window during which the attack could propagate before being stopped.

Timeline

• April–May 2021 — DIVD identifies authentication bypass vulnerabilities in Kaseya VSA and initiates coordinated disclosure process with Kaseya.
• 2 July 2021, ~14:00 UTC — REvil affiliates begin exploiting CVE-2021-30116 against on-premises Kaseya VSA servers. Ransomware begins propagating to MSP-managed endpoints.
• 2 July 2021, afternoon — Kaseya detects the attack. Issues emergency notice advising all on-premises VSA customers to shut down servers immediately. Takes SaaS VSA platform offline.
• 2–3 July 2021 — Approximately 50 MSPs and 1,500 downstream businesses confirmed affected. Coop closes approximately 800 Swedish stores.
• 5 July 2021 — REvil publishes demand for $70 million universal decryptor on its Happy Blog site.
• 11 July 2021 — Kaseya releases patches for VSA (versions 9.5.7a and later). VSA SaaS platform brought back online.
• 13 July 2021 — REvil infrastructure goes offline. Dark-web sites and payment portals disappear. Believed to be related to US government action.
• 22 July 2021 — Kaseya announces it has obtained a universal decryptor from an undisclosed third party. Begins distributing to affected customers via Mandiant.
• October 2021 — Ukrainian national Yaroslav Vasinskyi arrested in Poland for the Kaseya attack and extradited to the US. Another REvil member, Yevgeniy Polyanin, charged and $6.1M seized.
• January 2022 — Russian FSB arrests multiple REvil members at the request of the US government.

What defenders should learn

The Kaseya attack is the definitive demonstration of MSP supply-chain ransomware, and it fundamentally changed how the security community thinks about the risk profile of remote management tooling. An RMM platform is, by design, an application with privileged remote access to every endpoint it manages. Compromise of that platform is therefore equivalent to simultaneous privileged compromise of every managed endpoint. MSPs and the organisations that rely on them need to apply this risk understanding to their architecture: RMM platforms should be treated as tier-zero assets, restricted to dedicated management networks, protected with MFA and IP allowlisting, monitored continuously for anomalous activity, and patched with emergency priority when vulnerabilities are disclosed.

The coordinated disclosure timeline is an uncomfortable lesson in the limits of responsible disclosure. DIVD was trying to do the right thing, working with Kaseya to patch quietly before publishing. REvil exploited the vulnerability before the patch was ready. The lesson is not that responsible disclosure is wrong — it is that the window between discovery and patch must be as short as possible, and that during that window the vendor should be pushing interim mitigations to customers actively rather than waiting for a patch to be complete. Kaseya’s on-premises VSA customers had no way to know they were running a zero-day until the attack was already underway.

The use of signed, legitimate binaries to bypass security tools is a technique — living off the land and binary side-loading — that defenders should expect in any sophisticated ransomware attack and build detection for explicitly. Security tools that rely on file signing as a proxy for trustworthiness will be defeated by attackers who carry signed binaries from legitimate vendors. Behavioural detection — does this process do things that look like ransomware? Is this signed binary being loaded from an unexpected location? — is more robust than signature-based detection in this environment.

Finally, the Kaseya attack and the Colonial Pipeline and JBS events that preceded it collectively drove the most significant ransomware policy response in US history: the creation of the Ransomware Task Force recommendations, updated OFAC guidance on ransom payments, new CISA requirements for critical infrastructure, and the first-ever US Treasury designation of a cryptocurrency exchange for laundering ransomware proceeds. The sum of those three incidents reshaped the government’s understanding of ransomware as a national security rather than purely a criminal justice problem.