{ "id": "a691596c-91d6-4771-a286-e5383172ae10", "created_at": "2026-04-06T00:21:17.449138Z", "updated_at": "2026-04-10T13:11:52.845065Z", "deleted_at": null, "sha1_hash": "7b9aab5c116421e9ef6197bac43aa1712e8a1148", "title": "Threat Brief: Kaseya VSA Ransomware Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47566, "plain_text": "Threat Brief: Kaseya VSA Ransomware Attack\r\nBy Unit 42\r\nPublished: 2021-07-03 · Archived: 2026-04-05 14:47:04 UTC\r\nExecutive Summary\r\nOn July 2, attackers reportedly launched attacks against users of the Kaseya VSA remote monitoring and\r\nmanagement software as well as customers of multiple managed service providers (MSPs) that use the software.\r\nThey used access to the VSA software to deploy ransomware associated with the REvil/Sodinokibi ransomware-as-a-service group, according to reports. Kaseya has stated that the attack was conducted by exploiting a\r\nvulnerability in its software, and said they are working on a patch. The company has not released further\r\ninformation on the vulnerability. Kaseya recommends that any organization using VSA shut the system down\r\nimmediately. CISA has also issued a bulletin asking organizations using the software to follow Kaseya guidance. \r\nThe full extent of the attack is currently unknown. Kaseya states that fewer than 40 of its customers are impacted.\r\nIf those customers include MSPs, many more organizations could have been attacked with the ransomware.\r\nKaseya VSA’s functionality allows administrators to remotely manage systems. If an MSP’s VSA system was\r\ncompromised, that could allow an attacker to deploy malware into multiple networks managed by that MSP. \r\nThere has been much speculation about the nature of this attack on social media and other forums. We have not\r\nbeen able to independently determine how these attacks were conducted. \r\nMultiple sources have stated that the following three files were used to install and execute the ransomware attack\r\non Windows systems:\r\nagent.exe  | d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e\r\nmpsvc.dll | e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2\r\nmpsvc.dll  | 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd\r\nPalo Alto Networks WildFire, Threat Prevention and Cortex XDR detect and prevent REvil ransomware\r\ninfections.\r\nAs more information becomes available on the nature of this attack, we will update this brief to provide additional\r\ndetails. \r\nIndicators of Compromise\r\nKaseya Connected REvil Executables\r\nd55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e\r\n8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd\r\ne2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2\r\nhttps://unit42.paloaltonetworks.com/threat-brief-kaseya-vsa-ransomware-attacks/\r\nPage 1 of 2\n\nKaseya-provided IOCs are below:\r\nSource: Incident Overview and Technical Details, Kaseya\r\n35.226.94[.]113\r\n161.35.239[.]148\r\n162.253.124[.]162\r\nWeb log IOCs\r\nPOST /dl.asp curl/7.69.1\r\nGET /done.asp curl/7.69.1\r\nPOST /cgi-bin/KUpload.dll curl/7.69.1\r\nGET /done.asp curl/7.69.1\r\nPOST /cgi-bin/KUpload.dll curl/7.69.1\r\nPOST /userFilterTableRpt.asp curl/7.69.1\r\nSource: https://unit42.paloaltonetworks.com/threat-brief-kaseya-vsa-ransomware-attacks/\r\nhttps://unit42.paloaltonetworks.com/threat-brief-kaseya-vsa-ransomware-attacks/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/threat-brief-kaseya-vsa-ransomware-attacks/" ], "report_names": [ "threat-brief-kaseya-vsa-ransomware-attacks" ], "threat_actors": [], "ts_created_at": 1775434877, "ts_updated_at": 1775826712, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7b9aab5c116421e9ef6197bac43aa1712e8a1148.pdf", "text": "https://archive.orkl.eu/7b9aab5c116421e9ef6197bac43aa1712e8a1148.txt", "img": "https://archive.orkl.eu/7b9aab5c116421e9ef6197bac43aa1712e8a1148.jpg" } }