{
	"id": "427a5386-ce64-42df-8f7f-0bce73e8e97b",
	"created_at": "2026-04-06T00:14:01.490674Z",
	"updated_at": "2026-04-10T13:12:51.409875Z",
	"deleted_at": null,
	"sha1_hash": "42eb42dadb842171883a84bacc9602b7ab11d180",
	"title": "Cybereason vs. REvil Ransomware: The Kaseya Chronicles",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 759624,
	"plain_text": "Cybereason vs. REvil Ransomware: The Kaseya Chronicles\r\nBy Tom Fakterman\r\nArchived: 2026-04-05 20:18:26 UTC\r\nAs a spate of ransomware attacks continue to dominate the headlines in recent months, the infamous REvil\r\nransomware gang has upped the ante significantly with a wide ranging operation that is suspected to have\r\nimpacted thousands of small-to-midsize businesses through the compromise of a leading IT services provider.\r\nReports indicate that the REvil gang’s supply chain attack exploited the Kaseya VSA remote management service\r\nto propagate the ransomware to multiple targets by way of Managed Service Providers who use the software to\r\nservice clients across the globe.\r\nREvil is the same threat actor who hit meatpacking giant JBS with a ransomware attack at the beginning of June,\r\nshutting down a good portion of the company’s production capabilities and threatened to create supply chain\r\ndisruptions and sharp cost of goods increases.\r\nBack in April of 2019, the Cybereason Nocturnus team first encountered and analyzed the REvil ransomware (aka\r\nSodinokibi, Sodin), a notoriously aggressive and highly evasive threat that takes many measures to maintain\r\nobfuscation and prevent detection by security tools. \r\nCybereason Detects and Blocks REvil Ransomware\r\nThe Cybereason Defense Platform has consistently proven to detect and block REvil ransomware. Cybereason\r\ncustomers have been protected from this threat since it emerged in 2019, as are the customers of our Managed\r\nServices Provider partners in the wake of the Kaseya supply chain compromise:\r\nhttps://www.cybereason.com/blog/cybereason-vs-revil-ransomware-the-kaseya-chronicles\r\nPage 1 of 6\n\nThe Cybereason Defense Platform Detects and Blocks REvil Ransomware\r\nOver time, REvil has become the largest ransomware cartel operating in operation to date. Subsequent attacks\r\nattributed to the REvil gang include a March 2021 attack against Taiwanese multinational electronics corporation\r\nAcer where the assailants demanded a record breaking $50 million ransom. \r\nIn April, the REvil gang attempted to extort Apple following an attack against one of the tech giant’s business\r\npartners with a $50 million ransom demand with the additional threats to increase the ransom demand to $100\r\nmillion and release exfiltrated data from the target should the payment not be made promptly.\r\nMuch like the DarkSide ransomware gang that struck Colonial Pipeline in early May, the REvil gang follows the\r\ndouble extortion trend, where the threat actors first exfiltrates sensitive information stored on a victim’s systems\r\nbefore launching the encryption routine. \r\nAfter the ransomware encrypts the target’s data and issues the ransom demand for payment in exchange for the\r\ndecryption key, the threat actors make the additional threat of publishing the exfiltrated data online should the\r\ntarget refuse to make the ransom payment. \r\nThis means the target is still faced with the prospect of having to pay the ransom regardless of whether or not they\r\nemployed data backups as a precautionary measure, and underscores the need to take a prevention-first security\r\nposture.\r\nKaseya Ransomware Attack\r\nAt the time of publication of this report, the exact chain of events that enabled at least 1000 businesses to be\r\ninfected by the REvil ransomware is not entirely clear. According to Huntress’s investigation, one possibility is the\r\nhttps://www.cybereason.com/blog/cybereason-vs-revil-ransomware-the-kaseya-chronicles\r\nPage 2 of 6\n\nexploitation of the web interface of Kaseya’s VSA Servers (software used by Kaseya customers to monitor and\r\nmanage their infrastructure), which enabled authentication bypass and remote code execution.\r\nIn addition, The Dutch Institute for Vulnerability Disclosure (DIVD) has revealed that it had alerted Kaseya on a\r\nnumber of zero-day vulnerabilities in the VSA software (CVE-2021-30116) which are used in the ransomware\r\nattacks.\r\nScreenshot from the REvil Website\r\nThe Flow of the Alleged Supply-Chain Attack\r\nFull attack tree as shown in the Cybereason Defense Platform\r\nOnce the attackers gain access to the targeted environment, the Kaseya Agent Monitor (agentmon.exe) is used to\r\nwrite a base 64 decoded file named “agent.crt” (The ransomware dropper) to the path “c:\\kworking\\”.\r\nAfter it writes the encoded payload to disk, agentmon.exe executes the following command line which contains\r\nthe following commands:\r\nFull command line executed by “agentmon.exe”\r\nPing is executed a random number of times (in each instance we observed the -n parameter is different).\r\nThis may function as a sleep timer before the next instructions are executed:\r\nPing command line\r\nPowerShell command is executed to disable Windows built-in security and Antivirus settings on the\r\nmachine:\r\nPowershell command line disabling Windows built-in security and antivirus settings\r\n“CertUtil.exe” is copied to “C:\\Windows\\cert.exe”. CertUtil.exe is an admin command line tool intended\r\nby Microsoft to be used for manipulating certification authority (CA) data and components. CertUtil.exe is\r\npopular as a LoLBin (living off the land binaries) and is often used by attackers. The name change is\r\nprobably used as an attempt to evade detection rules for the process. In addition a random number is\r\nechoed to the end of “cert.exe”, probably to change the hash of the file.\r\nhttps://www.cybereason.com/blog/cybereason-vs-revil-ransomware-the-kaseya-chronicles\r\nPage 3 of 6\n\nCert.exe (renamed CertUtil.exe) is used to decode the previously dropped “agent.crt” file to “agent.exe”, which is\r\nthen executed:\r\nRenaming CertUtil.exe and execution of dropper\r\nThe Ransomware Dropper (agent.exe)\r\nThe ransomware dropper (agent.exe) is signed with the certificate “PB03 TRANSPORT LTD.” The Certificate\r\nappears to have only been used by REvil malware that was deployed during this attack:\r\nThe certificate used to sign REvil ransomware\r\nTo add a layer of stealth, the attackers used a technique called DLL Side-Loading. Agent.exe drops an outdated\r\nversion that is vulnerable to DLL Side-Loading of “msmpeng.exe” - the Windows Defender executable.\r\nThe dropper then writes the ransomware payload to disk as the model “mpsvc.dll” to make “msmpeng.exe” load\r\nand execute it:\r\nExtraction and execution of the payload in ida\r\nThe Ransomware Payload (mpsvc.dll)\r\nSimilar to the agent.exe dropper binary, the ransomware payload DLL is also signed with the same certificate.\r\nAnalysis of the DLL binary showed that it is the REVIL ransomware. Once the execution is passed to the module,\r\nit executes the command “netsh advfirewall firewall set rule group=”Network Discovery” new enable=Yes”,\r\nwhich changes the firewall settings to allow local windows systems to be discovered. Then, it starts to encrypt the\r\nfiles on the system, eventually dropping the following ransom note:\r\nREvil ransom note\r\nCYBEREASON DETECTION AND PREVENTION\r\nRansomware attacks are on the rise. A recently released report by Cybereason, titled Ransomware: The True Cost\r\nto Business, detailed how malicious actors are fine-tuning their ransomware campaign tactics, and how both the\r\nfrequency and severity of successful ransomware attacks have tremendous impact on victim organizations and\r\ntheir ability to conduct business.\r\nhttps://www.cybereason.com/blog/cybereason-vs-revil-ransomware-the-kaseya-chronicles\r\nPage 4 of 6\n\nThe full REvil attack involving Kesaya is presented in the Cybereason Defense Platform process tree as an\r\nautomatically generated Malop™ for a complete view of the attack narrative:\r\nFull attack tree as shown in the Cybereason Defense Platform\r\nThe Cybereason Defense Platform delivers multi-layer protection that is proven to detect and block REvil\r\nransomware since it emerged in 2019, and continues to allow defenders to protect their organizations from this\r\nevolving threat:\r\nCybereason AI-based NGAV and Anti-Ransomware detects and prevents REvil ransomware\r\nSECURITY RECOMMENDATIONS\r\nKaseya released a VSA Detection Tool which analyzes the system in order to detect if any related IOCs are\r\npresent\r\nEnable the Anti-Ransomware feature on Cybereason NGAV and set protection mode to Prevent - more\r\ninformation for customers can be found here\r\nEnable Anti-Malware feature on Cybereason NGAV, set to Prevent and set the detection mode to Moderate\r\nand Above - more information for customers can be found here\r\nKeep Systems Fully Patched: Make sure your systems are patched in order to mitigate vulnerabilities\r\nRegularly Backup Files to a Remote Server: Restoring your files from a backup is the fastest way to regain\r\naccess to your data\r\nUse Security Solutions: Protect your environment using organizational firewalls, proxies, web filtering, and\r\nmail filtering\r\nRansomware Prevention Capabilities are Key\r\nThe best ransomware defense for organizations is to focus on preventing a ransomware infection in the first place.\r\nOrganizations need visibility into the more subtle Indicators of Behavior (IOBs) that allow detection and\r\nprevention of a ransomware attack at the earliest stages. \r\nCybereason delivers industry leading ransomware protection via multi-layered prevention, detection and response,\r\nincluding:\r\nAnti Ransomware Prevention and Deception: Cybereason uses a combination of behavioral detections\r\nand proprietary deception techniques surface the most complex ransomware threats and end the attack\r\nbefore any critical data can be encrypted.\r\nIntelligence-Based Antivirus: Cybereason blocks known ransomware variants leveraging an ever-growing\r\npool of threat intelligence based on previously detected attacks.\r\nNGAV: Cybereason NGAV is powered by machine learning and recognizes malicious components in code\r\nto block unknown ransomware variants prior to execution.\r\nhttps://www.cybereason.com/blog/cybereason-vs-revil-ransomware-the-kaseya-chronicles\r\nPage 5 of 6\n\nFileless Ransomware Protection: Cybereason disrupts attacks utilizing fileless and MBR-based\r\nransomware that traditional antivirus tools miss.\r\nEndpoint Controls: Cybereason hardens endpoints against attacks by managing security policies,\r\nmaintaining device controls, implementing personal firewalls and enforcing whole-disk encryption across a\r\nrange of device types, both fixed and mobile.\r\nBehavioral Document Protection: Cybereason detects and blocks ransomware hidden in the most\r\ncommon business document formats, including those that leverage malicious macros and other stealthy\r\nattack vectors.\r\nCybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to\r\neverywhere - including modern ransomware. Learn more about ransomware defense here or schedule a demo\r\ntoday to learn how your organization can benefit from an operation-centric approach to security. \r\nIndicators of Compromise\r\nRansomware Dropper\r\nSHA256\r\n41581b41c599d1c5d1f9f1d6923a5e1e1ee47081adfc6d4bd24d8a831554ca8e\r\nD55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e\r\nSHA1\r\n49a5a9e2c000add75ff74374311247d820baa1a8\r\n5162f14d75e96edb914d1756349d6e11583db0b0\r\nRansomware Payload\r\nSHA256\r\n8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd\r\ne2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2\r\nSHA1\r\n656c4d285ea518d90c1b669b79af475db31e30b1\r\ne1d689bf92ff338752b8ae5a2e8d75586ad2b67b\r\nSource: https://www.cybereason.com/blog/cybereason-vs-revil-ransomware-the-kaseya-chronicles\r\nhttps://www.cybereason.com/blog/cybereason-vs-revil-ransomware-the-kaseya-chronicles\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cybereason.com/blog/cybereason-vs-revil-ransomware-the-kaseya-chronicles"
	],
	"report_names": [
		"cybereason-vs-revil-ransomware-the-kaseya-chronicles"
	],
	"threat_actors": [],
	"ts_created_at": 1775434441,
	"ts_updated_at": 1775826771,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/42eb42dadb842171883a84bacc9602b7ab11d180.pdf",
		"text": "https://archive.orkl.eu/42eb42dadb842171883a84bacc9602b7ab11d180.txt",
		"img": "https://archive.orkl.eu/42eb42dadb842171883a84bacc9602b7ab11d180.jpg"
	}
}