{
	"id": "10052185-d38d-40a1-b715-0be05b35463b",
	"created_at": "2026-04-06T00:10:28.921732Z",
	"updated_at": "2026-04-10T03:24:29.75751Z",
	"deleted_at": null,
	"sha1_hash": "511b8810161ac0032c1e9946e96b2beaa6ae8045",
	"title": "REvil ransomware hits 1,000+ companies in MSP supply-chain attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2392946,
	"plain_text": "REvil ransomware hits 1,000+ companies in MSP supply-chain attack\r\nBy Lawrence Abrams\r\nPublished: 2021-07-02 · Archived: 2026-04-05 15:17:29 UTC\r\nA massive REvil ransomware attack affects multiple managed service providers and over a thousand of their customers\r\nthrough a reported Kaseya supply-chain attack.\r\nStarting this afternoon, the REvil ransomware gang, aka Sodinokibi, targeted MSPs with thousands of customers, through\r\nwhat appears to be a Kaseya VSA supply-chain attack.\r\nAt this time, there eight known large MSPs that have been hit as part of this supply-chain attack.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nKaseya VSA is a cloud-based MSP platform that allows providers to perform patch management and client monitoring for\r\ntheir customers.\r\nHuntress Labs' John Hammond has told BleepingComputer that all of the affected MSPs are using Kaseya VSA and that\r\nthey have proof that their customers are being encrypted as well.\r\n\"We are tracking 20 MSPs where Kaseya VSA was used to encrypt over 1,000 business and are working in close\r\ncollaboration with six of them,\" Hammond shared in blog post about the attack.\r\nKaseya issued a security advisory on their help desk site, warning all VSA customers to immediately shut down their VSA\r\nserver to prevent the attack's spread while investigating.\r\n\"We are experiencing a potential attack against the VSA that has been limited to a small number of on-premise\r\ncustomers only as of 2:00 PM EDT today.\r\nWe are in the process of investigating the root cause of the incident with an abundance of caution but we\r\nrecommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us.\r\nIts critical that you do this immediately, because one of the first things the attacker does is shutoff\r\nadministrative access to the VSA.\"\r\nIn a statement to BleepingComputer, Kaseya stated that they have shut down their SaaS servers and are working with other\r\nsecurity firms to investigate the incident.\r\nMost large-scale ransomware attacks are conducted late at night over the weekend when there is less staff to monitor the\r\nnetwork.\r\nAs this attack happened midday on a Friday, the threat actors likely planned the time to coincide with the July 4th weekend\r\nin the USA, where it is common for staff to have a shorter workday before the holidays.\r\nIf you have first-hand information about this attack or information about affected companies, we would love to hear about it.\r\nYou can confidentially contact us on Signal at +16469613731 or on Wire at @lawrenceabrams-bc.\r\nREvil attack spread through auto-update\r\nBleepingComputer has been told by both Huntress' John Hammond and Sophos' Mark Loman that the attacks on MSPs\r\nappear to be a supply chain attack through Kaseya VSA.\r\nAccording to Hammond, Kaseya VSA will drop an agent.crt file to the c:\\kworking folder, which is being distributed as an\r\nupdate called 'Kaseya VSA Agent Hot-fix.'\r\nA PowerShell command is then launched that first disables various Microsoft Defender security features, such as real-time\r\nmonitoring, Controlled Folder Access, script scanning, and network protection.\r\nIt will then decode the agent.crt file using the legitimate Windows certutil.exe command to extract an agent.exe file to\r\nthe same folder, which is then launched to begin the encryption process.\r\nPowerShell command to execute the REvil ransomware\r\nSource: Reddit\r\nThe agent.exe is signed using a certificate from \"PB03 TRANSPORT LTD\" and includes an embedded 'MsMpEng.exe' and\r\n'mpsvc.dll,' with the DLL being the REvil encryptor. When extracted, the 'MsMpEng.exe' and 'mpsvc.dll' are placed in the\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/\r\nPage 3 of 7\n\nC:\\Windows folder.\r\nSigned agent.exe file\r\nThe MsMPEng.exe is an older version of the legitimate Microsoft Defender executable used as a LOLBin to launch the DLL\r\nand encrypt the device through a trusted executable.\r\nThe agent.exe extracting and launching embedded resources\r\nSome of the samples add politically charged Windows Registry keys and configurations changes to infected computers.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/\r\nPage 4 of 7\n\nFor example, a sample [VirusTotal] installed by BleepingComputer adds\r\nthe HKLM\\SOFTWARE\\Wow6432Node\\BlackLivesMatter key to store configuration information from the attack.\r\nAdvanced Intel's Vitali Kremez told BleepingComputer that another sample configures the device to launch REvil Safe\r\nMode with a default password of 'DTrump4ever.'\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon]\r\n\"AutoAdminLogon\"=\"1\"\r\n\"DefaultUserName\"=\"[account_name]\"\r\n\"DefaultPassword\"=\"DTrump4ever\"\r\nKaseya CEO Fred Voccola told BleepingComputer in an email late Friday night that a vulnerability in Kaseya VSA was\r\nused during the attack and that a patch will be released as soon as possibly.\r\n\"While our investigation is ongoing, to date we believe that: \r\nOur SaaS customers were never at-risk.  We expect to restore service to those customers once we have\r\nconfirmed that they are not at risk, which we expect will be within the next 24 hours; \r\nOnly a very small percentage of our customers were affected – currently estimated at fewer than 40\r\nworldwide.  \r\nWe believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for\r\nour on-premises customers that will be tested thoroughly. We will release that patch as quickly as possible to get\r\nour customers back up and running.\" - Kaseya.\r\nBleepingComputer has sent followup questions regarding the vulnerability and was told a comprehensive update would be\r\nreleased Saturday afternoon.\r\nHuntress continues to provide more info about the attack in a Reddit thread and we have added IOCs to the bottom of this\r\narticle.\r\nRansomware gang demands a $5 million ransom\r\nA sample of the REvil ransomware used in one of these attacks has been shared with BleepingComputer. However, it is\r\nunknown if this is the sample used for every victim or if each MSP received its own ransom demand.\r\nThe ransomware gang is demanding a $5,000,000 ransom to receive a decryptor from one of the samples.\r\nRansom demand\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/\r\nPage 5 of 7\n\nAccording to Emsisoft CTO Fabian Wosar, MSP customers who were affected by the attack received a much smaller\r\n$44,999 ransom demand.\r\nWhile REvil is known to steal data before deploying the ransomware and encrypting devices, it is unknown if the attackers\r\nexfiltrated any files.\r\nMSPs are a high-value target for ransomware gangs as they offer an easy channel to infecting many companies through a\r\nsingle breach, yet the attacks require intimate knowledge about MSPs and the software they use.\r\nREvil has an affiliate well versed in the technology used by MSPs as they have a long history of targeting these companies\r\nand the software commonly used by them.\r\nIn June 2019, an REvil affiliate targeted MSPs via Remote Desktop and then used their management software to push\r\nransomware installers to all of the endpoints that they manage.\r\nThis affiliate is believed to have previously worked with GandCrab, who also successfully conducted attacks against MSPs\r\nin January 2019.\r\nThis is a developing story and will continue to be updated.\r\nUpdate 7/1/21 10:30 PM EST: Added updated statement about vulnerability.\r\nUpdate 7/3/21 5:37 PM EST: Updated title and added information on how over 1,000 businesses have been affected this\r\nattack.\r\nIOCS\r\nKnown file hashes:\r\nagent.crt - 2093c195b6c1fd6ab9e1110c13096c5fe130b75a84a27748007ae52d9e951643\r\nagent.exe - d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e\r\nmpsvc.dll - e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2\r\nmpsvc.dll - 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/\r\nPage 6 of 7\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/"
	],
	"report_names": [
		"revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434228,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/511b8810161ac0032c1e9946e96b2beaa6ae8045.pdf",
		"text": "https://archive.orkl.eu/511b8810161ac0032c1e9946e96b2beaa6ae8045.txt",
		"img": "https://archive.orkl.eu/511b8810161ac0032c1e9946e96b2beaa6ae8045.jpg"
	}
}