{
	"id": "2271ee4c-ce1b-4f3d-8d0c-4e3263640545",
	"created_at": "2026-04-06T00:14:26.98202Z",
	"updated_at": "2026-04-10T03:21:01.667681Z",
	"deleted_at": null,
	"sha1_hash": "22a0b5098873cda7702473bad2aee76262d7d16f",
	"title": "KASEYA Supply Chain Ransomware Attack | Zscaler Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1419659,
	"plain_text": "KASEYA Supply Chain Ransomware Attack | Zscaler Blog\r\nBy Mohd Sadique, Rajdeepsinh Dodia, Brett Stone-Gross\r\nPublished: 2021-07-06 · Archived: 2026-04-02 12:24:40 UTC\r\nOn July 2, 2021, Kaseya, an IT Management software firm, disclosed a security incident impacting their on-premises version of Kaseya's Virtual System Administrator (VSA) software. Kaseya VSA is a cloud-based\r\nManaged Service Provider (MSP) platform that allows service providers to perform patch management, backups,\r\nand client monitoring for their customers. Per Kaseya, the majority of their customers that rely on Software-as-a-Service (SaaS) based offerings were not impacted by this issue; only a small percentage (less than 40 worldwide)\r\nrunning on-premise instances of Kaseya VSA server were affected, though it is believed that 1,000+ organizations\r\nwere impacted downstream. Below is the ThreatLabz technical deep-dive on the attack. For more background,\r\nread our full coverage blog here.\r\nInfection Overview\r\nThe threat actor behind this attack identified and exploited a zero day vulnerability in the Kaseya VSA server. The\r\ncompromised Kaseya VSA server was used to send a malicious script to all clients that were managed by\r\nthat VSA server. The script was used to deliver REvil ransomware that encrypted files on the affected systems.\r\nThe malicious script contained the following Windows batch commands as shown below:\r\nC:\\windows\\system32\\cmd.exe /c ping 127.0.0.1 -n 7615 \u003e nul \u0026 C:\\Windows\\System32\\WindowsPowerShell\\v\r\nThe PowerShell script present in the commands above disables some features of Windows Defender such as real-time protection, network protection, scanning of downloaded files, sharing of threat information with Microsoft\r\nActive Protection Service (MAPS), and automatic sample submission.\r\ncertutil.exe is used to decode the Base64 encoded payload located in agent.crt and writes the result to an\r\nexecutable file named agent.exe in the working directory of Kaseya. The Windows batch script then executes the\r\nagent.exe file, which will create and launch the REvil ransomware payload.\r\nREvil/Sodinokibi Ransomware\r\nThe executable agent.exe is digitally signed with a valid digital signature with the following signer information: \r\nName: PB03 TRANSPORT LTD.\r\nEmail: Brouillettebusiness@outlook.com\r\nIssuer: CN = Sectigo RSA Code Signing CA, O = Sectigo Limited, L = Salford, S = Greater Manchester, C\r\nThumbprint: 11FF68DA43F0931E22002F1461136C662E623366\r\nSerial Number: 11 9A CE AD 66 8B AD 57 A4 8B 4F 42 F2 94 F8 F0\r\nhttps://www.zscaler.com/blogs/security-research/kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload\r\nPage 1 of 10\n\nUpon execution, the file agent.exe drops two additional files which are present in its resource section with the\r\nnames SOFTIS and MODLIS. These two files are written to the C:\\Windows directory. If the malware is unable to\r\nwrite to this location (e.g., insufficient permissions), these files will alternatively be dropped in the Windows\r\n%temp% directory. These two files are the following:\r\nMsMpEng.exe - This is a legitimate application of Windows Defender and vulnerable to side-loading\r\nattacks.\r\nmpsvc.dll - This is an REvil ransomware DLL.\r\nThe executable file agent.exe then executes MsMpEng.exe, which is vulnerable to a DLL side-loading attack to\r\nload the REvil ransomware DLL file mpsvc.dll that is located in the same directory. As a result of the\r\nvulnerability, the Windows Defender executable will load the REvil DLL into its own context as shown in Figure\r\n1.\r\nFigure 1. Main function of the malicious executable used in the Kaseya attack that drops a vulnerable copy of\r\nWindows Defender to load REvil ransomware.\r\nThis variant of REvil (aka Sodinokibi) ransomware uses several techniques to evade security products. This\r\nincludes the malware using a custom packer, with the REvil payload distributed as a portable executable (PE) with\r\na modified header as shown in Figure 2 (where the original PE header is shown on the left and the modified\r\nheader is shown on the right). This is likely designed to evade security software products that are not able to\r\nproperly handle PE files that have been modified.\r\nhttps://www.zscaler.com/blogs/security-research/kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload\r\nPage 2 of 10\n\nFigure 2. Modified REvil PE header (the original header is shown on the left, while the Kaseya REvil payload is\r\nshown on the right).\r\nThe malware binary has an embedded encrypted configuration which is decrypted using RC4 encryption at\r\nruntime as shown in Figure 3.\r\nFigure 3. RC4 decryption of REvil configuration.\r\nThe REvil ransomware configuration contains specific settings for the malware. The configuration is stored in\r\nJSON format with the configuration parameters shown in Table 1.\r\nhttps://www.zscaler.com/blogs/security-research/kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload\r\nPage 3 of 10\n\nConfiguration\r\nKey\r\nDescription\r\narn Establish persistence via an autorun registry value\r\ndbg Enable debug mode\r\ndmn Semicolon separated list of potential C\u0026C domains\r\net Encryption type (partial or full)\r\nexp\r\nAttempt to elevate privileges by exploiting a local privilege escalation (LPE)\r\nvulnerability\r\nimg Base64 encoded ransom wallpaper\r\nnbody Base64 encoded ransom note\r\nnet Send beacons to the REvil command and control server\r\nnname File name of ransom note dropped in folders where files were encrypted\r\npid Unique ID to identify this attack\r\npk Base64 encoded value of attacker’s public key used to encrypt files \r\nprc List of processes to kill\r\nrdmcnt Readme count (always set to 0) \r\nhttps://www.zscaler.com/blogs/security-research/kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload\r\nPage 4 of 10\n\nsub Possible campaign/affiliate ID or just sub version number\r\nsvc List of services to stop\r\nwfld Directories to wipe\r\nwht List of allowed extensions, folder names and file names\r\nwipe Wipe specified directories\r\nTable 1. REvil configuration keys and their purpose.\r\nThe full decrypted configuration for this REvil attack can be found here.\r\nThis variant of REvil has the key net assigned with the value false, which instructs the ransomware not to beacon\r\ninformation back to the C\u0026C domains after encryption. This is likely to evade network-based signatures that\r\ncould potentially alert victims to an ongoing attack. The REvil configuration in the Kaseya attack disables\r\npersistence through the arn configuration parameter, which may also be designed to evade early-stage detection.\r\nBefore the encryption process, the registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\BlackLivesMatter is\r\ncreated to store the victim’s and attacker’s encryption key information and the file extension to be appended, as\r\nshown in below Figure 4.\r\nFigure 4. Registry key names and values created by REvil ransomware.\r\nThe registry key values are described below in Table 2.\r\nRegistry Value Name Description\r\nhttps://www.zscaler.com/blogs/security-research/kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload\r\nPage 5 of 10\n\n96Ia6 Victim’s secret key encrypted with the attacker’s public key (“pk”)\r\nEd7 Attacker’s public key\r\nJmfOBvhb Encrypted victim’s key (same as key present in ransom note)\r\nQIeQ Victim’s public key\r\nUcr1RB Victim’s secret key encrypted with master public key\r\nwJWsTYE Extension to be appended after encryption\r\nTable 2. REvil registry key values.\r\nREvil changes the Windows firewall settings to allow the local system to be discovered on the local network by\r\nother computers with the command: \r\nnetsh advfirewall firewall set rule group=”Network Discovery” new enable=Yes\r\nFile Encryption Process\r\nREvil ransomware will encrypt all files that are not contained within the allowlisted filenames and extension\r\nfields, which are stored in the configuration. REvil reads each file, encrypts the contents, and writes the result\r\nback to the original file to prevent file recovery. After the encryption, a footer is written to the end of the file and\r\nthe encrypted file is renamed with an appended file extension. REvil ransomware uses a combination of\r\nCurve25519 (asymmetric) and Salsa20 (symmetric) encryption algorithms to encrypt files on the system. The\r\nSalsa20 encryption key is derived from the victim's public key and secret key of the key pair generated for each\r\nfile. To decrypt a file, the victim's secret key and file public key must be known.\r\nThe ransomware writes a footer that has a size of 232 (0xE8) bytes at the end of every encrypted file. The footer\r\nmetadata contains the information shown below in Table 3.\r\nParameter Data size Description\r\nattacker_public_key 0x58 Victim’s secret key encrypted with the attacker’s public key\r\nhttps://www.zscaler.com/blogs/security-research/kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload\r\nPage 6 of 10\n\nmaster_public_key 0x58 Victim’s secret key encrypted with a master public key\r\nfile_public_key 0x20 Public key generated for each file\r\nsalsa20_nonce 0x8 Salsa-20 nonce\r\ncrc32_file_public_key 0x4 CRC32 checksum of file_public_key\r\net_config 0x4 Encryption type (0 in this case)\r\nsk_size 0x4 Bytes to skip during encryption\r\nnull_encrypted 0x4 NULL value encrypted with Salsa20 encryption\r\nTable 3. REvil footer added to encrypted files.\r\nAn example REvil footer is shown below in Figure 5, with the corresponding fields highlighted.\r\nFigure 5. Footer metadata appended to a file encrypted by REvil.\r\nhttps://www.zscaler.com/blogs/security-research/kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload\r\nPage 7 of 10\n\nAfter the encryption, REvil drops a ransom note with the format {random alphanumeric characters}-readme.txt\r\nbased on the rdmcnt configuration (in this case, rdmcnt is set to zero, so REvil will drop a ransom note in every\r\ndirectory). The ransomware then drops the content to a file from the img configuration value in the Windows\r\n%temp% directory and sets the wallpaper to use this file on the infected system. Figure 6 displays a screenshot\r\nwith the REvil ransom note and wallpaper after the file encryption is completed.\r\nFigure 6: REvil ransom note and wallpaper after file encryption.\r\nThe author of REvil ransomware has posted attack details on their leak website as shown in Figure 7. The group is\r\ncurrently demanding $70 million worth of Bitcoin for a master decryption tool.\r\nhttps://www.zscaler.com/blogs/security-research/kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload\r\nPage 8 of 10\n\nFigure 7. REvil’s Kaseya attack post on their dark web leak site.\r\nIndicators of Compromise (IOCs)\r\nThe following IOCs can be used to detect REvil infections used in the Kaseya attack.\r\n \r\nHash Type Description\r\n95f0a946cd6881dd5953e6db4dfb0cb9 MD5\r\nagent.crt\r\n(encoded REvil\r\ndropper)\r\n561cffbaba71a6e8cc1cdceda990ead4 MD5\r\nagent.exe (REvil\r\ndropper)\r\na47cf00aedf769d60d58bfe00c0b5421 MD5\r\nmpsvc.dll (REvil\r\nransomware)\r\n7ea501911850a077cf0f9fe6a7518859 MD5\r\nmpsvc.dll (REvil\r\nransomware)\r\nhttps://www.zscaler.com/blogs/security-research/kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload\r\nPage 9 of 10\n\n2093c195b6c1fd6ab9e1110c13096c5fe130b75a84a27748007ae52d9e951643 SHA256\r\nagent.crt\r\n(encoded REvil\r\ndropper)\r\nd55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e SHA256\r\nagent.exe (REvil\r\ndropper)\r\n8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd SHA256\r\nmpsvc.dll (REvil\r\nransomware)\r\ne2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2 SHA256\r\nmpsvc.dll (REvil\r\nransomware)\r\nThe full list of 1200+ hardcoded beacon domains related to this REvil variant can be found here.\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload\r\nhttps://www.zscaler.com/blogs/security-research/kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload"
	],
	"report_names": [
		"kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload"
	],
	"threat_actors": [],
	"ts_created_at": 1775434466,
	"ts_updated_at": 1775791261,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/22a0b5098873cda7702473bad2aee76262d7d16f.pdf",
		"text": "https://archive.orkl.eu/22a0b5098873cda7702473bad2aee76262d7d16f.txt",
		"img": "https://archive.orkl.eu/22a0b5098873cda7702473bad2aee76262d7d16f.jpg"
	}
}