{
	"id": "df1353a9-37e6-4164-bda0-6dbd8b115f2e",
	"created_at": "2026-04-06T00:22:09.706471Z",
	"updated_at": "2026-04-10T13:11:41.740586Z",
	"deleted_at": null,
	"sha1_hash": "47bc847b9a03f9accd753a2a7f06aa2e7c4751b9",
	"title": "UPDATED: Kaseya hijacked, thousands attacked by REvil, fix delayed again",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 73367,
	"plain_text": "UPDATED: Kaseya hijacked, thousands attacked by REvil, fix\r\ndelayed again\r\nBy Mark Stockley\r\nPublished: 2021-07-01 · Archived: 2026-04-05 17:41:33 UTC\r\nMalwarebytes does not use Kaseya products. Malwarebytes detects the REvil ransomware used in this attack as\r\nSodinokibi.\r\nLatest updates\r\nJuly 7, 8:30 am, Kaseya VSA SaaS platform still offline, not updated as planned\r\nJuly 6, 3:40 pm, malspam using fake Kaseya security update\r\nJuly 6, 3:15 am, Malwarebytes telemetry reveals global scale of the attack\r\nJuly 6, 2:45 am, Ransom demand drops to $50 million, REvil branded “terrorists”\r\nJuly 5, 5:00 am, Kaseya flaw part of larger structural weakness in admin tools\r\nJuly 5, 4:30 am, Kaseya releases compromise detection tool\r\nJuly 4, 8:50 pm, REvil asks for $70 million\r\nJuly 4, 4:00 pm, Malwarebytes telemetry shows surge in REvil detections\r\nJuly 4, 5:00 am, “Thousands affected“, zero-day blamed\r\nJuly 3, Two MSPs named, hundreds of Coop stores closed\r\nJuly 2, Shutdown Kaseya VSA immediately\r\nIOCs\r\nShutdown Kaseya VSA immediately\r\nArticle continues below this ad.\r\nA severe ransomware attack reportedly taking place now against the popular Remote Monitoring and Management\r\nsoftware tool Kaseya VSA has forced Kaseya into offering urgent advice: Shutdown VSA servers immediately.\r\n“We are experiencing a potential attack against the VSA that has been limited to a small\r\nnumber of on-premise customers only as of 2:00 PM EDT today,” Kaseya wrote on Friday afternoon.\r\n“We are in the process of investigating the root cause of the incident with an abundance of caution but\r\nwe recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice\r\nfrom us.\r\nIt’s critical that you do this immediately, because one of the first things the attacker does is shutoff\r\nadministrative access to the VSA.”\r\nhttps://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients/\r\nPage 1 of 5\n\nThe attack is reportedly delivered through a Kaseya VSA auto-update that maliciously pushes the Revil\r\nransomware onto victims’ machines. Kaseya is a popular software developed for Managed Service Providers that\r\nprovide remote IT support and cybersecurity services for small- to medium-sized businesses that often cannot\r\nafford to hire full-time IT employees, due to their limited size or budgets.\r\nComplicating the attack is the fact that, according to cybersecurity researcher Kevin Beaumont, the malicious\r\nupdate carries administrator rights for clients’ systems, “which means that Managed Service Providers who are\r\ninfected then infect their client’s systems.”\r\nFor a company that says it has 40,000 customers, this could be a disaster.\r\nDuring the attack, the cybercriminals reportedly shut off administrative access to VSA, and several protections\r\nwithin Microsoft Defender are disabled, including Real-Time Monitoring, Script Scanning, and Controlled Folder\r\nAccess.\r\nA screenshot from Malwarebytes reveals a ransom note delivered to an infected Windows machine. In the note,\r\nattackers warn:\r\nMalwarebytes customers are currently protected from REvil, as shown in the screenshots below, and\r\nMalwarebytes is committed to continuing this protection. (Malwarebytes detects REvil as Sodinokibi)\r\nWe will update this post with more information as it becomes available, but the immediate guidance from Kaseya\r\ncannot be overstated: Shutdown VSA servers immediately.\r\nUpdate July 3, 2021\r\nKaseya has released a new statement confirming they were the victim of a sophisticated cyberattack. At this time\r\nthey are still urging customers to keep their on-premise VSA servers offline.\r\nAccording to Bloomberg two of the affected managed service providers (MSPs) are Synnex Corp. and Avtex LLC.\r\nWhile Kaseya is a US-based company, some of of the MSPs’ customers are businesses in Europe. According to\r\nthe BBC, Swedish supermarket chain Coop had to close more than 400 stores on Friday after the point-of-sale\r\nterminals and checkouts stopped working.\r\nVictims of this attack would have downloaded a malicious update called ‘Kaseya VSA Agent HotFix’ which was\r\nin fact meant to disable Windows Defender and push the file encryptor payload.\r\nUpdate July 4, 2021, 5:00 am, PT\r\nMore details of the vast scope of the attack have emerged. Huntress has been maintaining a comprehensive Reddit\r\nthread on the incident since Friday. In an accompanying blog post, the organization says it is tracking about 30\r\nMSPs in four continents “where Kaseya VSA was used to encrypt well over 1,000 businesses”.\r\nOne of the affected organizations is St Peter’s School, Cambridge, New Zealand, which has confirmed that it is\r\none of eleven schools in the country affected by this supply-chain attack.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients/\r\nPage 2 of 5\n\nSecurity company HuntressLabs has analyzed the original attack vector and believes a REvil/Sodinokibi affiliate\r\nexploited a zero-day for an authentication bypass in the Kaseya’s web interface.\r\nToday, Victor Gevers of the Dutch Institute for Vulnerability Disclosure (DIVD) revealed on Twitter that it was in\r\na “coordinated vulnerability disclosure process” with Kaseya at the time of the attack.\r\nIn other words, Kaseya was aware of a problem and it was actively working to fix it. According to Gevers, this\r\nexplains why on-premise version of VSA was vulnerable and the SaaS version was not. It seems that, sensibly, the\r\nSaaS version of VSA receives patches before the on-premise version.\r\nIt seems the attack was remarkably well timed. Had that process moved a little more quickly, infosec folks would\r\nnow be enjoying their weekends and we’d be writing about what might have been, rather about what Gevers\r\ndescribes as “the single largest ransomware spree in history”.\r\nGiven the way 2021 is unfolding, we can’t help wondering how long it will keep that title.\r\nUpdate: July 4, 4:00 pm, PT\r\nMalwarebytes’ telemetry shows a major increase in Ransom.Sodinokibi (REvil) detections and not just in the US.\r\nIn fact, we have a number of hits in India, France, Chile, Taiwan, Australia, Colombia and Argentina.\r\nUpdate: July 4, 8:50 pm, PT\r\nThe REvil gang has claimed the attack on MSPs and is asking for $70M in exchange for a universal decryptor. In\r\na new post on their ‘Happy Blog’ hosted on the dark web, they say that more than a million systems were infected.\r\nThey also mention that the universal decryptor would help recover from the attack in less than an hour. Both\r\nclaims are highly controversial.\r\nUpdate: July 5, 4:30 am, PT\r\nKaseya has created a Compromise Detection Tool that can be download from the company’s Box account. The\r\ntool will scan VSA servers or managed endpoints and determine whether any indicators of compromise (IoC) are\r\npresent. However, Kaseya says its customers should keep VSA turned off for now:\r\nAll on-premises VSA Servers should continue to remain offline until further instructions from Kaseya\r\nabout when it is safe to restore operations. A patch will be required to be installed prior to restarting the\r\nVSA and a set of recommendations on how to increase your security posture. \r\nCado Security has created a GitHub repository of tools for DFIR professionals who are dealing with the fallout\r\nfrom the attack.\r\nUpdate: July 5, 4:45 am, PT\r\nDIVD reveals that Kaseya’s instruction to shutdown VSA servers, and the subsequent efforts of organizations like\r\ntheirs has drastically reduced the number of Kaseya VSA instances that are reachable from the internet from “over\r\n2,200 to less than 140” in 48 hours.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients/\r\nPage 3 of 5\n\nThe organization also sheds a little more light on the root cause of the incident, saying “DIVD researcher, has\r\npreviously identified a number of the zero-day vulnerabilities [CVE-2021-30116] which are currently being used\r\nin the ransomware attacks.” As we explained in an earlier update, DIVD was in the process of working with\r\nKaseya to resolve the vulnerabilities when REvil struck. “Unfortunately, we were beaten by REvil in the final\r\nsprint.”\r\nOminously, it explains that this is part of a broader effort looking at the administration interfaces of tools used for\r\nsystem administration, saying: “we spotted a trend where more and more of the products that are used to keep\r\nnetworks safe and secure are showing structural weaknesses.”\r\nUpdate: July 6, 2:45 am, PT\r\nReuters reports that the REvil affiliate behind the attack “has indicated a willingness to temper their demands in\r\nprivate conversations with a cybersecurity expert and with Reuters.” According to the news organization, the\r\nattackers told Jack Cable of the Krebs Stamos Group, that it was prepared to lower the asking price for a universal\r\ndecryptor from $70 million to $50 million. A universal decryptor could be used to free all of the victims—all the\r\ncustomers of Kaseya’s customers—and save the attackers the bother of negotiating with each of up to 1,500\r\nvictims separately.\r\nRansomware gangs typically negotiate with one, or a small number of victims at a time. The REvil affiliate behind\r\nthis attack may simply be unequipped to communicate with so many victims. They may also be wary of creating\r\nthousands of separate ‘paper trails’ on the Bitcoin blockchain, since cryptocurrency payments are where recent\r\nlaw enforcement efforts seem to have focussed. About a month ago, the DOJ recovered the majority of the ransom\r\npaid in the Colonial Pipeline attack. A week later, police in Ukraine arrested several individuals believed to be\r\nengaged in money laundering for the Cl0p ransomware group.\r\nThe question now, is whether Kaseya will pay. Reuters reports that in an interview with Kaseya CEO Fred\r\nVoccola, he responded to a question about whether the company would pay by saying “I can’t comment ‘yes,’\r\n‘no,’ or ‘maybe’ … No comment on anything to do with negotiating with terrorists in any way.”\r\nUpdate: July 6, 3:15 am, PT\r\nMalwarebytes Threat Intelligence has released an image showing the global scale of the event. Telemetry from\r\nMalwarebytes reveals detections for REvil on four continents following Friday’s attack.\r\nUpdate: July 6, 3:40 pm, PT\r\nMalwarebytes Threat Intelligence has seen a malicious spam campaign trying to take advantage of the Kaseya\r\nVSA attack. The email asks recipients to “please install the update from Microsoft to protect against ransomware”\r\nand a carries an attachment called SecurityUpdates.exe .\r\nUpdate: July 7, 8:30 am, PT\r\nKaseya has updated its incident page to explain that its planned update to the Kaseya VSA SaaS platform has still\r\nnot taken place, due to an unspecified issue.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients/\r\nPage 4 of 5\n\n…during the deployment of the VSA update an issue was discovered that has blocked the release. We\r\nhave not yet been able to resolve the issue\r\nThe SaaS platform’s continued unavailability is a mystery. Kaseya maintains that unlike the on-premises version\r\nof its VSA product, the SaaS platform was not vulnerable to the zero-day issue used to launch Friday’s attack.\r\nHowever, the SaaS platform was taken offline as a precaution and will remain so until it can be updated.\r\nIndicators of Compromise (IoCs)\r\nLoader\r\nREvil/Sodinoki DLL\r\nFile paths\r\nAdditional IOCs from configuration file (source)\r\nProcess list to kill\r\nServices to stop and delete\r\nSource: https://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-cli\r\nents/\r\nhttps://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients/"
	],
	"report_names": [
		"shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients"
	],
	"threat_actors": [],
	"ts_created_at": 1775434929,
	"ts_updated_at": 1775826701,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/47bc847b9a03f9accd753a2a7f06aa2e7c4751b9.pdf",
		"text": "https://archive.orkl.eu/47bc847b9a03f9accd753a2a7f06aa2e7c4751b9.txt",
		"img": "https://archive.orkl.eu/47bc847b9a03f9accd753a2a7f06aa2e7c4751b9.jpg"
	}
}