# Threat Brief: Kaseya VSA Ransomware Attack

**[unit42.paloaltonetworks.com/threat-brief-kaseya-vsa-ransomware-attacks](https://unit42.paloaltonetworks.com/threat-brief-kaseya-vsa-ransomware-attacks/)**

By [Unit 42](https://unit42.paloaltonetworks.com/author/unit42/)

July 3, 2021 at 3:15 PM

[Category: Ransomware,](https://unit42.paloaltonetworks.com/category/ransomware/) [Threat Brief,](https://unit42.paloaltonetworks.com/category/threat-briefs-assessments/threat-brief/) [Unit 42](https://unit42.paloaltonetworks.com/category/unit42/)

Tags: [Kaseya,](https://unit42.paloaltonetworks.com/tag/kaseya/) [REvil](https://unit42.paloaltonetworks.com/tag/revil/)

[This post is also available in: 日本語 (Japanese)](https://unit42.paloaltonetworks.jp/threat-brief-kaseya-vsa-ransomware-attacks/)

## Executive Summary


July 3, 2021


On July 2, attackers reportedly launched attacks against users of the Kaseya VSA remote
monitoring and management software as well as customers of multiple managed service
providers (MSPs) that use the software. They used access to the VSA software to deploy
ransomware associated with the REvil/Sodinokibi ransomware-as-a-service group, according
to reports. Kaseya has stated that the attack was conducted by exploiting a vulnerability in its
software, and said they are working on a patch. The company has not released further
[information on the vulnerability. Kaseya recommends that any organization using VSA shut](https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689)
[the system down immediately. CISA has also issued a bulletin asking organizations using the](https://us-cert.cisa.gov/ncas/current-activity/2021/07/02/kaseya-vsa-supply-chain-ransomware-attack)
software to follow Kaseya guidance.

[The full extent of the attack is currently unknown. Kaseya states that fewer than 40 of its](https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689)
customers are impacted. If those customers include MSPs, many more organizations could
have been attacked with the ransomware. Kaseya VSA’s functionality allows administrators
to remotely manage systems. If an MSP’s VSA system was compromised, that could allow an
attacker to deploy malware into multiple networks managed by that MSP.


-----

There has been much speculation about the nature of this attack on social media and other
forums. We have not been able to independently determine how these attacks were
conducted.

[Multiple sources have stated that the following three files were used to install and execute the](https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b)
ransomware attack on Windows systems:

agent.exe | d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
mpsvc.dll | e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2

mpsvc.dll | 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd

[Palo Alto Networks WildFire,](https://www.paloaltonetworks.com/products/secure-the-network/wildfire) [Threat Prevention and Cortex XDR detect and prevent REvil](https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/threat-prevention)
ransomware infections.

As more information becomes available on the nature of this attack, we will update this brief
to provide additional details.

## Indicators of Compromise

**Kaseya Connected REvil Executables**

d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd

e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2

**Kaseya-provided IOCs are below:**

[Source: Incident Overview and Technical Details, Kaseya](https://helpdesk.kaseya.com/hc/en-gb/articles/4403584098961)


-----

162.253.124[.]162

**Web log IOCs**

POST /dl.asp curl/7.69.1

GET /done.asp curl/7.69.1
POST /cgi-bin/KUpload.dll curl/7.69.1

GET /done.asp curl/7.69.1
POST /cgi-bin/KUpload.dll curl/7.69.1

POST /userFilterTableRpt.asp curl/7.69.1

## Additional Resources

[Understanding REvil: The Ransomware Gang Behind the Kaseya Attack](https://unit42.paloaltonetworks.com/revil-threat-actors/)

[Threat Assessment: GandCrab and REvil Ransomware](https://unit42.paloaltonetworks.com/ransomware-threat-assessments/7/)

[2021 Unit 42 Ransomware Threat Report](https://start.paloaltonetworks.com/unit-42-ransomware-threat-report)

[Breaking Down Ransomware Attacks](https://unit42.paloaltonetworks.com/breaking-down-ransomware-attacks/)

[Ransomware’s New Trend: Exfiltration and Extortion](https://www.paloaltonetworks.com/resources/whitepapers/ransomwares-new-trend-exfiltration-and-extortion)

_Updated July 6, 2021, at 3:06 p.m. PT._

**Get updates from Palo Alto Networks!**

Sign up to receive the latest news, cyber threat intelligence and research from us

[By submitting this form, you agree to our Terms of Use and acknowledge our Privacy](https://www.paloaltonetworks.com/legal-notices/terms-of-use)
Statement.


-----