{
	"id": "0920ef8e-8564-4c4c-ad7c-292c1b176ce6",
	"created_at": "2026-04-06T02:11:31.596222Z",
	"updated_at": "2026-04-10T03:21:45.508813Z",
	"deleted_at": null,
	"sha1_hash": "75b77d5d3b15a2044426beef295ef312b5c0f9b7",
	"title": "Uncompromised: When REvil comes knocking",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 269351,
	"plain_text": "Uncompromised: When REvil comes knocking\r\nBy Laura Brosnan\r\nPublished: 2022-03-16 · Archived: 2026-04-06 01:29:14 UTC\r\nWe’re rewinding the clock a bit to tell the tale of how we detected and helped prevent REvil (aka Sodinokibi)\r\nactivity associated with zero days in Kaseya’s IT management software last year, before we or anyone else knew\r\nabout the vulnerabilities, their impact, or the severity of follow-on ransomware attacks. For some, this story is a\r\nstark reminder of the importance of incident response planning and intelligence. For others—practitioners tasked\r\nwith defending networks large and small—it also brings into focus the efficacy of developing broad, behavior-based detections.\r\n2:01\r\nHow it started\r\nJust after 1 PM (ET) on July 2, 2021, an adversary leveraged the Kaseya Virtual System Administrator (VSA)\r\nagent agentmon.exe to launch the command processor and execute a variety of malicious actions. Within five\r\nminutes, the Red Canary detection engineering team was investigating events generated by this suspicious activity.\r\nhttps://redcanary.com/blog/uncompromised-kaseya/\r\nPage 1 of 4\n\nThe command-line arguments in question included two groupings of conspicuously suspicious actions, both of\r\nwhich were caught by existing Red Canary detection analytics:\r\n1. 1. Multiple commands designed to disable Windows Defender security features\r\n2. The relocation and execution of the Windows Certificate Authority Utility ( certutil.exe ) to\r\ndecode a .crt file\r\nWhile the purpose of the former commands is self-evident (the adversary wanted to evade defensive controls), the\r\nlatter activity requires some explanation.\r\nSidebar: Decoding malicious payloads with certutil.exe\r\nNearly five years ago, then detection engineer manager Joe Moles committed a new detection analytic to our\r\ndetector repo that looked for adversaries leveraging certutil.exe to decode malicious payloads. Adversaries\r\nconsistently use this utility to deliver malicious payloads, and we’ve observed this behavior in hundreds of\r\nconfirmed threat detections since initially developing the detection analytic.\r\nThe ultimate payload\r\nAll of this activity was merely pretense. Less than an hour after detecting the initial defense evasion and execution\r\nactivity, we observed a series of malicious registry modifications.\r\nThanks to research conducted by our Intelligence team in late 2020 and open source reports by the likes of Unit\r\n42, we were immediately able to associate these registry modifications with a known ransomware threat called\r\nREvil, based on the following registry modification paths:\r\nSoftware\\blacklivesmatter\r\nhttps://redcanary.com/blog/uncompromised-kaseya/\r\nPage 2 of 4\n\nsoftware\\wow6432node\\blacklivesmatter\r\nWithin 12 minutes of this threat occurring, the Red Canary Incident Handling team was proactively reaching out\r\nto the affected customer to help them begin responding to the incident. Unfortunately, the customer’s security\r\nteam was off for the holiday weekend and were part of a legacy customer group that hadn’t upgraded their\r\ncontract to include access to Automate. Recognizing the severity of the situation, we activated Automate,\r\ndeveloped some custom playbooks, and started automatically banning hashes, collecting forensics packages, and\r\nisolating endpoints within roughly two hours of the initial threat occurring.\r\nAdditional detections\r\nIn isolation, this was just a single instance of an adversary using the Kaseya IT management platform to deliver a\r\nmalicious payload. In fact, this wasn’t the first time we’d observed adversaries abusing Kaseya in an effort to\r\ndeliver ransomware.\r\nHowever, just 23 minutes after the first threat occurred, we observed the same behavior in a second customer\r\nenvironment. Roughly an hour after the initial threat, we detected this behavior in a third environment. This\r\nprocess—excepting the response complications for the first customer—effectively repeated itself across two more\r\ncustomers and dozens of endpoints over the span of three days.\r\nInternal and external intelligence\r\nLess than an hour and a half after the initial threat occurred, the Red Canary Threat Research and Intelligence\r\nteams had finished reverse engineering the ransomware payload and began drafting up their findings.\r\nWhile we were working incidents across multiple customers, initial public information started to appear on Reddit\r\nand Twitter roughly an hour after we initially detected the threat. Kaseya eventually acknowledged the incidents in\r\na formal announcement roughly two-and-a-half hours after our first detections.\r\nCustomer communication\r\nA little more than six hours after the initial threat occurred, the Red Canary Threat Intelligence team had compiled\r\neverything we knew about this incident—information drawn from customer detections, reverse engineering, and\r\nopen source reporting, to name a few sources—into a bulletin that we promptly sent to every Red Canary\r\ncustomer.\r\nIn retrospect\r\nIn the days that followed the incident, we learned that REvil had exploited a series of four zero-day vulnerabilities\r\nin Kaseya, which ultimately enabled the group to gain initial access, upload the malicious payload, bypass security\r\ncontrols, and execute the payload. Kaseya would eventually patch these vulnerabilities on July 11.\r\nA zero day is just a means to an end. It might provide an adversary access, elevate their privileges, or help them\r\nperform a variety of other actions. That aside, the exploitation of any vulnerability—known or unknown—is just\r\none part of a much broader campaign that almost certainly involves other activity. By developing a robust\r\nhttps://redcanary.com/blog/uncompromised-kaseya/\r\nPage 3 of 4\n\nbehavioral detection program, security teams can achieve a level of defense in depth that offers visibility into—\r\nand protection against—a wide variety of threats, regardless of the techniques at hand.\r\nSource: https://redcanary.com/blog/uncompromised-kaseya/\r\nhttps://redcanary.com/blog/uncompromised-kaseya/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://redcanary.com/blog/uncompromised-kaseya/"
	],
	"report_names": [
		"uncompromised-kaseya"
	],
	"threat_actors": [],
	"ts_created_at": 1775441491,
	"ts_updated_at": 1775791305,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/75b77d5d3b15a2044426beef295ef312b5c0f9b7.pdf",
		"text": "https://archive.orkl.eu/75b77d5d3b15a2044426beef295ef312b5c0f9b7.txt",
		"img": "https://archive.orkl.eu/75b77d5d3b15a2044426beef295ef312b5c0f9b7.jpg"
	}
}