{ "id": "bd69dee0-a97e-423b-a10f-4f7b6659ff35", "created_at": "2026-04-06T01:31:23.625841Z", "updated_at": "2026-04-10T03:35:03.250832Z", "deleted_at": null, "sha1_hash": "9449db68c86093bdb8b526d9f23abb3d9defd606", "title": "How CrowdStrike Stops Ransomware Used in the Kaseya Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 197561, "plain_text": "How CrowdStrike Stops Ransomware Used in the Kaseya Attack\r\nBy Karan Sood - Liviu Arsene\r\nArchived: 2026-04-06 01:26:31 UTC\r\nKaseya, makers of popular IT software used by managed service providers (MSPs), was recently affected\r\nby a REvil ransomware attack\r\nCrowdStrike associates REvil ransomware to the PINCHY SPIDER threat actor\r\nThe CrowdStrike Falcon® platform protects customers from REvil ransomware\r\nThe Falcon platform prevents REvil in early stages of execution using machine learning and behavior-based detection\r\nThe recent REvil ransomware incident involving the compromise of a remote management software vendor,\r\nKaseya, did not endanger CrowdStrike customers because the CrowdStrike Falcon® platform would have\r\nfunctioned to block the REvil ransomware attack on their systems. Using the power of machine learning and\r\nbehavior-based detection, the Falcon platform is able to identify and block REvil ransomware in the early stages\r\nof the attack. For the best protection, Falcon customers should enable “Suspicious Processes” detection, which is\r\namong the policies CrowdStrike recommends for the Falcon platform. CrowdStrike Intelligence has been tracking\r\nthe evolution of REvil ransomware and the PINCHY SPIDER threat actor group developing it since 2018. The\r\ngroup is believed to have also been involved in the development of the now defunct GandCrab ransomware.\r\nSimilarities between REvil (also known as “Sodinokibi”) and GandCrab led CrowdStrike Intelligence to suspect\r\nthese two ransomware are related.\r\nWhat Happened?\r\nOn Friday, July 2, REvil ransomware operators managed to compromise Kaseya VSA software, used to monitor\r\nand manage Kaseya customer’s infrastructure. REvil ransomware operators used zero-day vulnerabilities to\r\ndeliver a malicious update, compromising fewer than 60 Kaseya customers and 1,500 downstream companies,\r\naccording to Kaseya’s public statement. These vulnerabilities were previously identified and privately reported to\r\nKaseya by the Dutch Institute for Vulnerability Disclosure. Current reports suggest that the REvil operator made\r\nuse of a privately disclosed vulnerability, now tracked as CVE-2021-30116, in order to achieve execution. Kaseya\r\nhas recommended that on-premises partners keep their VSA servers offline, as they are currently in the process of\r\nreleasing a patch to address the issues. Meanwhile, recent reports suggest REvil operators initially asked for a\r\nransom of $70 million USD, claiming to have infected more than 1 million systems. A surprising development is\r\nthat REvil operators may have lowered the ransom demand to $50 million USD along with an offer of a universal\r\ndecryptor for all victims.\r\nHow CrowdStrike Falcon Protects Customers From REvil Ransomware\r\nThe Falcon platform was designed from the ground up to leverage the power of the cloud, machine learning and\r\nbehavioral detection to protect organizations from sophisticated attacks and threats, such as ransomware. The\r\nhttps://www.crowdstrike.com/blog/how-crowdstrike-stops-revil-ransomware-from-kaseya-attack/\r\nPage 1 of 4\n\nFalcon platform takes a layered approach to prevent, identify and protect customers from ransomware, including\r\nREvil ransomware. In this particular case, the Falcon sensor can prevent the attack whenever a suspicious process\r\nusually associated with ransomware is triggered, as well as detect the REvil ransomware using on-sensor and in-the-cloud machine learning as well as behavioral detection with indicators of attack (IOAs). It can also detect if a\r\nlegitimate process, such as the one associated with the Kaseya VSA, is attempting to load malicious code. In\r\naddition, the Falcon OverWatch™ team is constantly monitoring and will immediately notify customers if they\r\nobserve behaviors associated with nation-state or eCrime threat actors like PINCHY SPIDER, enabling the\r\ncustomer to take action against the threat. Falcon has the ability to protect clients from this campaign by\r\nidentifying suspicious processes associated with ransomware. The Falcon platform uses IOAs to detect and\r\nprevent suspicious processes from being executed and protects customers from ransomware campaigns early in\r\nthe attack chain, before the payload is executed.\r\nThe unique leverage that machine learning brings to the security industry is that it can identify both known and\r\nunknown malware, by understanding malicious intent based solely on the attributes of a file without prior\r\nknowledge of it. Falcon machine learning can provide coverage for REvil ransomware by accurately identifying\r\nand blocking the attack in multiple places. Falcon protects customers from ransomware including new or\r\nunknown REvil samples, as well as accurately identifies and blocks malicious behavior indicative of ransomware.\r\nhttps://www.crowdstrike.com/blog/how-crowdstrike-stops-revil-ransomware-from-kaseya-attack/\r\nPage 2 of 4\n\n(Click to enlarge)\r\nFalcon utilizes a multi-layered approach to IOA coverage that targets multiple steps in an attack chain. In this\r\ncase, the Kaseya process spawns a cmd shell to perform subsequent malicious actions such as disabling various\r\nscanning and other security solutions on the endpoint. Falcon detects this behavior and terminates the cmd shell,\r\nthwarting the attack.\r\nThis prevents REvil being dropped to disk and sideloaded into MsMpeng.exe, an older but legitimate version of a\r\nWindows Defender binary. Such coverage is the result of intelligence derived from our continuous monitoring of\r\nthe tactics, techniques and procedures (TTPs) associated with malware and threat actors’ behavior. The Falcon\r\nplatform also has the ability to identify the proxying execution of malicious commands, even if the parent is a\r\ntrusted process with signed binaries — effectively detecting and preventing adversaries from abusing the VSA\r\nvulnerability and delivering the malicious payload. This ability is demonstrated in the image below.\r\n(Click to enlarge)\r\nThe Falcon platform protects customers from threats such as REvil ransomware as well as sophisticated\r\nadversaries every day. It’s through our layered approach to security that we secure the assets that matter most to\r\nhttps://www.crowdstrike.com/blog/how-crowdstrike-stops-revil-ransomware-from-kaseya-attack/\r\nPage 3 of 4\n\nour customers and remain focused on our mission to stop breaches.\r\nRecommendations\r\n1. Use leading security technologies. Organizations need to use the right security technologies to protect\r\ntheir infrastructure and most valuable assets from ransomware.\r\n2. Use an endpoint security solution that takes a layered approach to preventing, identifying and\r\nprotecting customers from ransomware\r\n3. Do not give in to ransomware demands. The U.S government, law enforcement and security companies\r\nrecommend that organizations faced with ransomware demands should not give in to extortion\r\n4. You are not alone — seek help and advice from experts. Companies experiencing security incidents may\r\nhave a difficult time or not have the resources for investigating and recovering on their own.\r\nIf you suspect that your organization may have been impacted by REvil or any other threat, we are here to help\r\nimmediately with a Compromise Assessment to identify ongoing or past attacker activity in your organization’s\r\nenvironment. CrowdStrike Falcon has been named a leader in the Gartner 2021 Magic Quadrant for Endpoint\r\nProtection Platforms (EPP) and The Forrester Wave™ Endpoint Security Software As A Service, as well as\r\ndemonstrated its detection and protection capabilities in tests performed by MITRE, SE Labs and AV-Comparatives, all leading independent testing organizations.\r\nAdditional Resources\r\nLearn more about PINCHY SPIDER, CARBON SPIDER and other ransomware adversaries in the\r\nCrowdStrike Adversary Universe.\r\nDownload the CrowdStrike 2021 Global Threat Report for more information about adversaries tracked by\r\nCrowdStrike Intelligence in 2020.\r\nSee how the powerful, cloud-native CrowdStrike Falcon platform protects customers from DarkSide\r\nransomware in this blog: DarkSide Goes Dark: How CrowdStrike Falcon Customers Were Protected.\r\nGet a full-featured free trial of CrowdStrike Falcon Prevent and learn how true next-gen AV performs\r\nagainst today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/how-crowdstrike-stops-revil-ransomware-from-kaseya-attack/\r\nhttps://www.crowdstrike.com/blog/how-crowdstrike-stops-revil-ransomware-from-kaseya-attack/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.crowdstrike.com/blog/how-crowdstrike-stops-revil-ransomware-from-kaseya-attack/" ], "report_names": [ "how-crowdstrike-stops-revil-ransomware-from-kaseya-attack" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "8610b0d9-a6af-4010-818f-28671efc5d5e", "created_at": "2023-01-06T13:46:38.897477Z", "updated_at": "2026-04-10T02:00:03.138459Z", "deleted_at": null, "main_name": "PINCHY SPIDER", "aliases": [], "source_name": "MISPGALAXY:PINCHY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c84bbd2e-003d-4c43-8a46-d777455db2c7", "created_at": "2022-10-25T15:50:23.701006Z", "updated_at": "2026-04-10T02:00:05.378962Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [ "GOLD SOUTHFIELD", "Pinchy Spider" ], "source_name": "MITRE:GOLD SOUTHFIELD", "tools": [ "ConnectWise", "REvil" ], "source_id": "MITRE", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9df68733-9bcd-43b1-88f1-24b110fa3d56", "created_at": "2022-10-25T16:07:24.051993Z", "updated_at": "2026-04-10T02:00:04.851037Z", "deleted_at": null, "main_name": "Pinchy Spider", "aliases": [ "G0115", "Gold Garden", "Gold Southfield", "Pinchy Spider" ], "source_name": "ETDA:Pinchy Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "GandCrab", "GrandCrab", "REvil", "Sodin", "Sodinokibi", "VIDAR", "Vidar Stealer", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439083, "ts_updated_at": 1775792103, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9449db68c86093bdb8b526d9f23abb3d9defd606.pdf", "text": "https://archive.orkl.eu/9449db68c86093bdb8b526d9f23abb3d9defd606.txt", "img": "https://archive.orkl.eu/9449db68c86093bdb8b526d9f23abb3d9defd606.jpg" } }