{
	"id": "e1b87c07-1e50-4f15-b3ba-2af9a2a1a787",
	"created_at": "2026-04-06T00:19:30.588049Z",
	"updated_at": "2026-04-10T03:20:38.591704Z",
	"deleted_at": null,
	"sha1_hash": "699be40a8e6fe2ab21d59df9774dfbfe5099dc0a",
	"title": "The Ransomware Files, Episode 6: Kaseya and REvil",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61637,
	"plain_text": "The Ransomware Files, Episode 6: Kaseya and REvil\r\nBy Jeremy Kirk\r\nArchived: 2026-04-05 13:31:55 UTC\r\nThe REvil ransomware gang's attack against the U.S. software company Kaseya in 2021 is not only among the\r\nlargest ransomware attacks of all time, it's also one of the most intriguing.\r\nIt involves the use of zero-day software vulnerabilities known only to a handful of people, a race between\r\nattackers trying to snare ransom payments and defenders developing a patch, and a secret operation that hacked\r\nback against the REvil hackers. And in the end, a rare action happened: Someone was actually arrested.\r\nThis episode of \"The Ransomware Files\" talks to those who had a role in this incredible event. It also coincides\r\nwith the release of new technical information about the software vulnerabilities exploited by the ransomware\r\ngang, which were found by the Dutch Institute for Vulnerability Disclosure, or DIVD.\r\nREvil managed to exploit zero-day vulnerabilities in the Virtual Systems Administrator, which is remote\r\nmanagement software made by Kaseya and widely used by managed service providers. The vulnerabilities\r\nallowed the group to spread its ransomware, which was disguised as a software update.\r\nDIVD had warned Kaseya of the vulnerabilities in April, but REvil also discovered them, says Frank Breedijk,\r\nmanager of DIVD's Computer Security Incident Response Team. Breedijk and DIVD's chairman, Victor Gevers,\r\nfelt they had lost the race with the attackers.\r\n\"We were in this marathon to fix software that had quite a bit of technical debt in it,\" Breedijk says. \"And then\r\nwith the finish line in sight, on your right-hand side, all of a sudden comes Usain Bolt, passes you, flips you the\r\nbird and ransoms a whole bunch of systems.\"\r\nThe attack resulted in more than 1,500 organizations becoming infected with ransomware. Robert Cioffi is the\r\nfounder of Progressive Computing, which is a New York-based managed service provider that used Kaseya's VSA\r\nto deliver services to its clients.\r\nCioffi feared he might lose his business after speaking with a colleague on the day of the attack in July 2021. All\r\n80 of his customers were infected.\r\n\"I couldn't comprehend the words coming out of his mouth - that all of our customers were ransomwared,\" Cioffi\r\nsays. \"It just didn't make sense to me. What? How is it that everyone is ransomwared?\"\r\nThere are other twists and turns. The FBI and its law enforcement partners hacked back at the hackers, snatching a\r\nuniversal decryption key. And after the REvil gang went dark for good, prosecutors announced the arrest of a\r\nUkrainian man, Yaroslav Vasinskyi, for the attack against Kaseya. Vasinskyi is now awaiting trial in Texas (see:\r\nUS Nabs Alleged Ransomware Operators - One Tied to Kaseya).\r\nhttps://www.bankinfosecurity.com/interviews/ransomware-files-episode-6-kaseya-revil-i-5045\r\nPage 1 of 3\n\n\"The Ransomware Files\" is a podcast miniseries available on Spotify, Apple Podcasts, Google, Audible, Stitcher\r\nand more. I'm speaking with those who have navigated their way through a ransomware incident to learn how they\r\nfought back and what tips they can pass on to others. No ransomware infection is ever welcomed. But there's\r\ninvaluable knowledge gained. There should be no shame in getting infected, and it's important to share the lessons.\r\nIf you enjoyed this episode of \"The Ransomware Files,\" please follow it on a podcast platform and leave a review.\r\nAlso, the show has a Twitter handle, @ransomwarefiles, that tweets news and happenings about ransomware.\r\nIf you would like to participate in this project and tell the information security community about your\r\norganization's brush with ransomware, please get in touch with me at jkirk@ismg.io or direct message me here on\r\nTwitter. I'm looking for other people, organizations and companies that can share their unique experiences for the\r\nbenefit of all until ransomware, hopefully, is no longer a threat.\r\nCredits\r\nSpeakers: Robert Cioffi, Founder, Progressive Computing; Frank Breedijk, Manager, CSIRT, DIVD; Victor\r\nGevers, Chairman, DIVD; Jason Manar, Chief Information Security Officer, Kaseya; Jon DiMaggio, Chief\r\nSecurity Strategist, Analyst1; John Hammond, Senior Security Researcher, Huntress; Espen Johansen, Security\r\nDirector, Visma; Adrian Stanila, Senior Information Security Researcher, Visma; George Zamfir, Security Analyst,\r\nVisma; Jeremy Kirk, Executive Editor, Information Security Media Group.\r\nProduction Coordinator: Rashmi Ramesh.\r\nThe Ransomware Files theme song by Chris Gilbert/© Ordinary Weirdos Music.\r\nMusic by Uppbeat andPodcastmusic.com.\r\nSources\r\nBisend, What is Classic ASP?, Jan. 28, 2019;\r\nData Breach Today, REvil Revelations: Law Enforcement Behind Disruptions, Oct. 22, 2021;\r\nDouble Pulsar, Kaseya Supply Chain Attack Delivers Mass Ransomware Event to US Companies, July 3,\r\n2021;\r\nDutch Institute for Vulnerability Disclosure, Why We are Only Disclosing Limited Details on the Kaseya\r\nVulnerabilities, July 7, 2021;\r\nHuntress, The Hunt to Find Origins of Kaseya's VSA Mass Ransomware Incident, July 20, 2021;\r\nReuters, Governments Turn Tables on Ransomware Gang REvil by Pushing it Offline, Oct. 22, 2021;\r\nThe Record, Kaseya: More Than 1,500 Downstream Businesses Impacted by Ransomware Attack, July 6,\r\n2021;\r\nVisma, Software Vendor Kaseya Exposed to Global Cyberattack, Affecting Retail Trade, July 3, 2021.\r\nAdrian Stanila, Kaseya War Stories, Nov. 22, 2021;\r\nAllan Liska, Ransomware: Understand. Prevent. Recover, Oct. 28, 2021.\r\nHuntress Labs, Reddit post: Critical Ransomware Incident in Progress, July 3, 2021;\r\nKevin Beaumont, Twitter post, July 5, 2021.\r\nhttps://www.bankinfosecurity.com/interviews/ransomware-files-episode-6-kaseya-revil-i-5045\r\nPage 2 of 3\n\nSource: https://www.bankinfosecurity.com/interviews/ransomware-files-episode-6-kaseya-revil-i-5045\r\nhttps://www.bankinfosecurity.com/interviews/ransomware-files-episode-6-kaseya-revil-i-5045\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bankinfosecurity.com/interviews/ransomware-files-episode-6-kaseya-revil-i-5045"
	],
	"report_names": [
		"ransomware-files-episode-6-kaseya-revil-i-5045"
	],
	"threat_actors": [],
	"ts_created_at": 1775434770,
	"ts_updated_at": 1775791238,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/699be40a8e6fe2ab21d59df9774dfbfe5099dc0a.pdf",
		"text": "https://archive.orkl.eu/699be40a8e6fe2ab21d59df9774dfbfe5099dc0a.txt",
		"img": "https://archive.orkl.eu/699be40a8e6fe2ab21d59df9774dfbfe5099dc0a.jpg"
	}
}