Revil ransomware attack on Kaseya VSA

July 8, 2021
Revil ransomware attack Kaseya VSA vulnerability

Over the weekend, REvil (aka Sodinokibi) Ransomware has infected an American Software company Kaseya, on Friday, July 2 at 2:00 PM EDT. Kaseya Limited is a software development company for managing networks and information technology infrastructure.

This attack has hit thousands of companies worldwide, including a grocery store chain, schools, and a national railway system.

The attack was carried out by leveraging a zero-day vulnerability of VSA, one of the products of Kaseya. The Miami-based company has described the attack as a “sophisticated cyberattack,” which points to their On-Premise VSA Products. They have also assured that only VSA products affected by this attack and confirmed that their IT systems remain intact.

As per the Security Expert, Kevin Beaumont, the attack was pushed via an automated and malicious software update labeled “Kaseya VSA Agent Hot-fix.” The fake update was deployed across the state, and this includes the MSP client’s customers.

The Ransomware has encrypted the victims’ files and demanded a $70 million BTC ransom to restore the data. It is believed that Revil Ransomware is the successor of GandCrab, which is famous for targeting high-profile victims and employs a technique to pressure their victims into paying the ransom.



Revil ransomware attack on Kaseya VSA image 1
Figure 1. Default wallpaper image of Infected system


Revil ransomware attack on Kaseya VSA image 2
Figure 2. Revil/Sodinokibi Ransome Note



John Hammond, Senior Security Researcher at Huntress Labs, revealed that about 30 Managed Service Providers (MSPs) were hit; with this said, the attack spread to “well over” 1000 businesses. That includes small companies located in 17 countries which include United Kingdom, Canada, South Africa, New Zealand, Indonesia, and Kenya. But the most prominent disruption happened in Sweeden, where 800 grocery stores of Coop were shut down after the attack. Visma Esscom runs the cash register of Coop and other servers of Swedish business, which in turn uses Kaseya.


Kaseya’s Executive Team has convened to take two steps to stop the malware spread. First, they notified their customers to “IMMEDIATELY” shut down their VSA On-Premise servers and on their end, shutting down their Kaseya VSA SaaS infrastructure.


While Kaseya’s technical investigation is ongoing, the Dutch Institute for Vulnerability Disclosure (DIVD) has exposed that the exploit used on the attack was the vulnerability they have previously discovered and reported to Kaseya. However, the patch was in the process of validation from Kaseya before the rollout.

As per DIVD, Kaseya has been cooperative, and they have been in constant communication with them after hearing about the vulnerability. They were in their final sprint when the attack happened.

On July 3, 2021, Kaseya advised their customers affected by the Ransomware and received communication with the Threat actors to avoid clicking any links from them. They might be malicious links that may result in severe damage. On the same day, they have also disclosed the new Compromise Detection Tool to be downloaded by their clients to analyze their system, either VSA server or managed endpoint. The tool will help determine if there are any indicators of compromise (IoC) existing.

As of July 5, 2021, Kaseya has disclosed that the patch for their On-Premise customers has been created, already being tested and validated. They expect their patch to be available within 24 hours after their Saas Servers have been brought up.

REvil threat actors were also the cyber attackers behind the ransomware attack that targeted the meat supplier, JBS USA Holdings Inc.

About the author

Leave a Reply