Supply Chain Attackscritical

Kaseya VSA: Ransomware Delivered to 1,500 Businesses in One Hit

The REvil ransomware group exploited zero-days in Kaseya's remote management software to push ransomware to 1,500 businesses simultaneously — including a Swedish supermarket chain forced to close all 800 stores.

Kaseya / MSP Ecosystem·2021·2 min read

Background

Kaseya VSA is remote monitoring and management (RMM) software used by Managed Service Providers (MSPs) to remotely manage their clients' IT infrastructure. An MSP using VSA can push software and scripts to thousands of client systems simultaneously — making it an extraordinarily powerful supply chain attack vector.

The Attack

REvil identified multiple zero-day vulnerabilities in Kaseya VSA's web interface, including a SQL injection and a directory traversal that bypassed authentication. They kept the vulnerabilities secret for months while preparing the attack. On July 2, 2021 — the Friday before the US Independence Day long weekend — they pushed a malicious "agent update" through VSA to all client systems. The update deployed REvil ransomware to approximately 1,500 businesses across 17 countries. Coop, a Swedish supermarket chain, had to close all 800 stores because its checkout systems were encrypted.

Response

Kaseya immediately shut down its SaaS service and advised all on-premises customers to take VSA servers offline. The FBI and CISA coordinated response. Kaseya obtained a universal decryption key from an "undisclosed third party" (widely believed to be the FBI following the Darkside takedown) and provided it to all victims. REvil disappeared from the internet shortly after.

Outcome

The attack demonstrated that MSPs are the highest-leverage target for ransomware groups — compromise one MSP to reach thousands of businesses. Kaseya's refusal to pay and the subsequent retrieval of the decryptor was a rare win. REvil resurfaced but was largely disrupted by international law enforcement in late 2021.

Key Takeaways

  1. MSPs are the highest-value targets for ransomware supply chain attacks — they need security standards as strict as banks
  2. Friday afternoon and long weekends are the preferred deployment time for ransomware — staff incident response accordingly
  3. RMM tools that can push code to thousands of endpoints are nation-state and criminal priority targets
  4. Zero-day exploitation in management software bypasses all client-side security controls
REvilzero-dayMSPRMMsupply chain ransomware

More in Supply Chain Attacks

2020critical

SolarWinds Supply Chain Attack

2 min readSupply Chain Attacks
2011critical

RSA SecurID: When Two-Factor Authentication Gets Hacked

2 min readSupply Chain Attacks
2017critical

CCleaner Backdoor: 2.27 Million Downloads Infected via Legitimate Software Update

2 min readSupply Chain Attacks