{
	"id": "d6bab5ee-5482-4f01-8a1f-ab4142e9abe7",
	"created_at": "2026-04-06T00:16:04.820433Z",
	"updated_at": "2026-04-10T03:22:00.472103Z",
	"deleted_at": null,
	"sha1_hash": "9513bc8fe2c3513752ce8977fa2a70d440064ed6",
	"title": "Kaseya, Sera. What REvil Shall Encrypt, Shall Encrypt | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1394828,
	"plain_text": "Kaseya, Sera. What REvil Shall Encrypt, Shall Encrypt | Splunk\r\nBy Ryan Kovar\r\nPublished: 2021-07-05 · Archived: 2026-04-05 22:36:05 UTC\r\nA uthors and Contributors: As always, security at Splunk is a family business.\r\nCredit to author Ryan Kovar and collaborators: Mick Baccio, Drew Church, Shannon Davis, Lily Lee, James Brodsky, John\r\nStoner, Matt Krumholz, Eric Schou.\r\nWhile Splunk was not impacted by the ransomware attack, as a security leader we want to help the industry by providing\r\ntools, guidance and support. If you want to see how to find Kaseya REvil specifics skip down to the “Detecting REvil\r\nRansomware Kaseya in Splunk” sections. Otherwise, read on for a quick breakdown of what happened, how to detect it,\r\nand MITRE ATT\u0026CK mappings.\r\nIntroduction\r\nWhen Splunk told me we would have a “breach holiday” theme for the summer, I didn’t think it would be quite so on the\r\nnose… For those of you who have been working on this Kaseya REvil Ransomware incident over the weekend, I salute you.\r\nWe’ve been doing the same. As usual, my team here at Splunk likes to make sure that we have some actionable material\r\nbefore posting a blog, and this time is no different. In the sections below, you will see that we break this out into a little bit\r\nof a different format than usual. We first discuss what happened and what you need to know if you are actively\r\nhunting/looking for REvil ransomware via the Kaseya VSA. We then discuss the work done by Splunk's Threat Research\r\nTeam regarding a deep dive on REvil, which you can read here. This deep dive will complement our significant, existing\r\nbody of content focused on helping organizations detect any and all strains of ransomware. Heck, we even did a write-up\r\ntalking about the Executive Order and memo on ransomware from the US Federal government.\r\nFinally, we will talk about the future; what we have in store to help you train and better prepare for events like this before\r\nthey happen again. Not to mention how to think about your software supply chain. Why? Because like your alarm clock\r\nblasting “I’ve got you babe” every morning at 6 AM, this will happen again. Our recent “State of Security” report showed\r\nthat 78% of security and IT leaders fear that a SolarWinds-style attack will hit them. Guess what? This is one of them.\r\nAs always, remember that this is a breaking news event, and while every effort has been made, some of our recommended\r\nsearches may not be as accurate or performant as we desire.\r\nWhat You Need to Know\r\nOn Friday afternoon, July 2nd, 2021, in what is becoming entirely too familiar a scenario, internet rumors of a \"supply-chain\r\nransomware\" attack began circulating on Reddit. As reports of more systems becoming encrypted surfaced, the \"rumors\"\r\nwere confirmed: Kaseya VSA, remote monitoring management (RMM) software heavily used by managed service providers\r\n(MSP), was compromised by REvil, and being used to distribute ransomware to its on-premises customers. Since VSA\r\nrequires elevated permissions to execute, an adversary was able to use it to disable Microsoft Defender and efficiently\r\ndistribute ransomware via endpoint agents. Its compromise led to a cascading effect of encrypted machines at the MSP\r\ncustomers. Eventually, organizations that don't even use Kaseya were being infected with ransomware. As this is an ongoing\r\nincident, we'll provide updates and content as we collect more data.\r\nWorried about Today, Tomorrow, and Beyond?\r\nUnpacking this latest incident shows three significant security areas to address. We’ll be releasing content to help in each of\r\nthese areas, so stay tuned.\r\nRansomware is one of the biggest security threats to most organizations today - The frequency and severity of\r\nransomware attacks are increasing, as are the blogs and guidance we release to help net defenders maintain their\r\norganization's security posture.\r\nOperational supply chain compromises and their impacts - The diversity and complexity of interconnected\r\nservices we rely on daily - a fancy way of saying if a cog in that technical or service wheel gets stuck (or…\r\nencrypted) - uhoh, trouble.\r\nYour software supply chain - The Kaseya incident very much has shades of PHP/SolarWinds activity, showing how\r\ndestructive unauthorized modifications to software packages can be. If you are a software developer or a user of the\r\nhttps://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html\r\nPage 1 of 9\n\nsoftware, it has become increasingly apparent that organizations need to have a better understanding of the processes\r\ninvolved in updating or developing software that they use or sell.\r\nIf you are a Kaseya VSA on-prem customer, drop down to the “Detecting REvil Ransomware Kaseya in Splunk” section to\r\nimmediately assess your environment using Splunk or take a peek at the wealth of content in the MITRE ATT\u0026CK section\r\nwhere we pull every Splunk security search we have that maps to REvil TTPs via the MITRE ATT\u0026CK method.\r\nDetecting REvil Ransomware Kaseya in Splunk\r\nAs many of you know, the primary challenge in detecting ransomware is the speed with which ransomware can impact\r\nsystems. With a rapid response, the spread of ransomware can be limited. Unfortunately, in most cases, by the time an attack\r\nis detected, files are already encrypted. That said, we want to provide some insight into detections that provide awareness of\r\nthese activities happening (as well actions one can take to mitigate the risk of attacks like this).\r\nWith that in mind, we are providing a set of indicators and Splunk searches to help uncover Kaseya in your environment. If\r\nyou use Enterprise Security and other Splunk products, take a look at the “Know thy self” section below for how to scan and\r\ndetermine your networks susceptibility to this specific attack.\r\nIndicators of Compromise (IOCs)\r\nSophos and Cado Security have both published IOCs for Kaseya. Throw them into a Lookup table or ES threat intel\r\nframework, and off you go! We have converted these indicators into a simple CSV format to use them as lookup tables -\r\nthey are posted here.\r\nAdditionally, Cado Security has published a sample packet capture (PCAP) file on their Github repository covering\r\nSSL/TLS connections to some of the domains contained in the IOC data above.\r\nSearches\r\nHuntress has done great work detailing activities that the ransomware code performs, and we will highlight some of this in\r\nour detection searches. From a Splunk detection perspective, here are some data sets that we always suggest collecting:\r\nProcess execution logs from our favorite Windows Security 4688 events, or Sysmon EventCode 1, or any\r\ncommercial EDR, are crucial to detecting the processes involved in actions on intent and lateral movement, amongst\r\nother activities.\r\nPowerShell Script Block Logging is also critical to detect certain modules being used where you don’t expect and the\r\nuse of encoded PowerShell.\r\nOne of its initial endpoint actions is to disable a litany of Microsoft Defender for Endpoint technologies when the\r\nransomware runs. A litany, you say? It will disable accurate time monitoring, IPS, cloud lookup, script scanning, controlled\r\nfolder access, network protection, and stop cloud sample submissions.\r\nhttps://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html\r\nPage 2 of 9\n\nIt accomplishes this by issuing a PowerShell command to turn these all off, so if you are monitoring PowerShell scripting,\r\nthis could be a quick hit if you see all of these protections being disabled concurrently.\r\nThe detection search below requires a configuration in your inputs.conf file to monitor WinEventLog://Microsoft-Windows-PowerShell/Operational on the client where your Splunk Universal Forwarder is installed.\r\nWe are only including two of the Defender technologies being turned off in the same command line for this search. A single\r\ntechnology being turned off could create false positives by authorized users, but the chances that a second technology being\r\nturned off simultaneously is unlikely to be benign. Notice the wildcards in the Message field so that the search would still\r\nreturn results in case the order of the technologies is different. One other comment here, keep in mind that certain values can\r\nbe shortened in scripts as well. For example, -drtm can be used in place of -disablerealtimemonitoring, so flexibility in\r\nsearches is key!\r\nsource=\"WinEventLog:Microsoft-Windows-PowerShell/Operational\"\r\n| search Message=\"*Set-MpPreference -Disable* $true* -Disable* $true*\"\r\n| table _time, host, Message\r\nIf we wanted to use the specific command found in the ransomware, we could use the following search instead. This would\r\nhave the benefit of creating an exact match but potentially risk missing variants that reorder the technologies in the\r\ncommand itself.\r\nsource=\"WinEventLog:Microsoft-Windows-PowerShell/Operational\"\r\n| search Message=\"*Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAV\r\n| table _time, host, Message\r\nBut wait! I don’t have PowerShell logging set up today. Are there other options to detect this behavior? Of course! Microsoft\r\nSysmon, Event Code 1 for Process Creation, and Windows Security Event Code 4688, A new process has been created, are\r\ngreat to use as well.\r\nHere is what the Sysmon Event Code 1 search would look like. Depending on your configuration, the source and sourcetype\r\nmight vary slightly. This same logic can be applied to your EDR platform of choice.\r\nsource=\"WinEventLog:Microsoft-Windows-Sysmon/Operational\" EventCode=1 cmdline=\"*powershell.exe Set-MpPreference -DisableR\r\n| table _time, host\r\nSimilarly, if you look at process creation in Windows Event logs, your search would look like this. Depending on your\r\nconfiguration, the source and sourcetype might vary slightly.\r\nhttps://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html\r\nPage 3 of 9\n\nsource=\"WinEventLog:Security\" EventCode=4688 Process_Command_Line=\"*powershell.exe Set-MpPreference -DisableRealtimeMonit\r\n| table _time, host\r\nWindows Defender status is logged to the Application folder in Windows Event Viewer. A search of the Event Code 15 and\r\nthe message in the search will indicate when Defender real-time monitoring has been turned off in the manner of this\r\nransomware. Just because you see these events does NOT mean you have been infected, but it does indicate that Defender\r\nreal-time was turned off, and if the other search options above are not available to you, this might be a place to start.\r\nsource=\"WinEventLog:Application\" EventCode=15 Message=\"Updated Windows Defender status successfully to SECURITY_PRODUCT_S\r\n| table _time host Message\r\nOn the outside chance that you are sending Microsoft-Windows-Windows Defender/Operational events to Splunk, a search\r\nlike this will return events from the Defender application, and the details in the events will show when configurations of\r\nthese technologies are changed.\r\nsource=\"WinEventLog:Microsoft-Windows-Windows Defender/Operational\" EventCode IN (5001, 5004, 5007)\r\n| table _time host Message\r\nAlong with disabling Defender, an older version (circa 2014) of msmpeng.exe (Defender) is being used to sideload REvil\r\ninto the Kaseya agent software. The hash of this older executable is included in the Github IOC repository listed above.\r\nIf you have Sysmon EventCode 7, Image Loaded events, the following search could be helpful to detect this side-loading of\r\nmalicious DLLs as well.\r\nsource=\"WinEventLog:Microsoft-Windows-Sysmon/Operational\" EventCode=7 Image=\"*MsMpEng.exe\" ImageLoaded=\"*mpsvc.dll\" SHA25\r\nMoving into other process execution activity within the ransomware, GossiTheDog shared a specific process command line.\r\nHere is what that search looks like in both Sysmon and Window Events, with the same caveats mentioned above.\r\nsource=\"WinEventLog:Microsoft-Windows-Sysmon/Operational\" EventCode=1 cmdline=\"c:\\\\kworking\\\\agent.exe*\"\r\n| table _time, host, cmdline\r\nsource=\"WinEventLog:Security\" EventCode=4688 Process_Command_Line=\"c:\\\\kworking\\\\agent.exe*\"\r\n| table _time, host, Process_Command_Line\r\nSplunk Enterprise Security, Splunk SOAR, and Enterprise Security Content Updates\r\n(ESCU)\r\nKnow Thyself\r\nWhile we have spent some time explaining this attack and effort needs to be put toward investigating this, it is also\r\nimportant to remember that the foundational elements of cyber-security, such as asset management, are as crucial as ever.\r\nWhen performed well via your asset and identity framework, you can quickly identify where your vulnerable systems reside.\r\nRunning regular vulnerability scans that integrate into Splunk will display which systems are vulnerable and can help you\r\nprioritize your patching schedule and better focus your detection efforts. In the case of ransomware, knowing which assets to\r\nprotect or are impacted as quickly as possible can be key to your defense strategy.\r\nWhile the details of the vulnerability in the Kaseya software have not been detailed, it appears that the CVE-2021-30116\r\nwill be utilized, and as vulnerability assessment solutions update their platforms, searching for this vulnerability will be\r\nessential to understand future exposure to this attack vector.\r\nhttps://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html\r\nPage 4 of 9\n\nThreat Intelligence Framework\r\nIf you are using Splunk Enterprise Security, the lookups of IOCs listed above can be ingested easily into the threat\r\nintelligence framework. Perhaps you aren’t sure how to do that. No worries, we published some guidance and a how-to on\r\nintegrating lists of IOCs into the Enterprise Security threat intelligence framework.\r\nEnterprise Security Content Updates (ESCU)\r\nIf you have ESCU running today, you already have some great coverage! For folks using ESCU, our Security Research team\r\nhas already released a new Splunk Analytic Story REvil Ransomware, containing detections for this threat. Saying that,\r\ncheck out the MITRE ATT\u0026CK table below for all the searches we can find!.\r\nSplunk SOAR\r\nFor folks using Splunk SOAR, we don’t have any customized playbooks out yet, but we have lots of examples that are a\r\ngreat place to start:\r\nAutomate Your Response to WannaCry Ransomware\r\nPlaybook: Detect, Block, Contain, and Remediate Ransomware\r\nPlaybook: Ransomware Investigate and Contain\r\nSplunk Services and workshops\r\nhttps://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html\r\nPage 5 of 9\n\nWorkshops\r\nMaybe at this point of the day, you are thinking, “Hey, I need to get savvier about detecting and responding to\r\nransomware.” Don’t worry; Splunk has you covered. Head over to https://bots.splunk.com/ and create a Splunk.com\r\naccount. If you already have one, cool, use that and log in. You will immediately have access to a virtual “Getting Started\r\nwith Splunk for Security” workshop, AND you can enter to participate in BOTS DAY North America on August 5th, 2021.\r\nStay tuned for more content that will be coming soon!\r\nEngagements\r\nOur team of Security Professionals that are part of our Splunk Professional Services team can help you implement\r\neverything we’ve mentioned here. We also have more targeted offerings that can help you increase your security posture as\r\nwell.\r\nSplunk Services for Breach Response and Readiness\r\nhttps://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html\r\nPage 6 of 9\n\nThis is all about Splunk experts working in collaboration with you and your team to help prepare for and respond to a breach\r\nusing our suite of products.\r\nRapid data source identification and onboarding\r\nHow to incorporate and use threat intelligence\r\nPrebuilt content with searches and dashboards to facilitate faster investigation and remediation\r\nTactical response planning\r\nTabletop exercise to validate how you respond using the Splunk products you have\r\nMITRE ATT\u0026CK\r\nAfter reviewing dozens of blogs and reviewing the MITRE ATT\u0026CK team’s review of REvil we pulled all of our content\r\nthat maps to the MITRE ATT\u0026CK TTPs and listed them in a nice table below. Be aware; these searches are provided as a\r\nway to accelerate your hunting. We recommend you configure them via the Splunk Security Essentials App. You may need\r\nto modify them to work in your environment! Many of these searches are optimized for use with the tstats command. Some\r\nof these are so new they are coming straight out of the Splunk Threat Research Team’s repo! Please note that not all of these\r\nwill be 100% relevant to Kaseya or REvil, but more information is better than none. For detailed information on detecting\r\nREvil, make sure to read the upcoming Splunk Threat Research Team’s blog on REvil ransomware.\r\nFinally, as more information becomes available, we will update these searches if more ATT\u0026CK TTPs become known. Pay\r\nspecial attention to the Splunk searches that are BOLDED and have (NEW) with them… the STRT freshly creates these to\r\nhelp you with REvil. For our complete reading list, check our bibliography at the end of the blog)\r\nHere is a list of all the MITRE ATT\u0026CK TTP’s that we have found that are relevant to this incident or REvil\r\nransomware:\r\nT1134.001 T1134.002 T1071.001 T1059.001 T1059.003 T1059.005 T1485 T1486 T1140 T1189 T1573.002 T1041 T1083\r\nT1562.001 T1070.004 T1105 T1490 T1036.005 T1112 T1106 T1027 T1491 T1069.002 T1566.001 T1055 T1012 T1489\r\nT1082 T1007 T1204.002 T1047 T1204 T1218.003 T1547.001\r\nIn an attempt to get my boss off my back, I told James Brodsky that he should “create a TA that detects files being\r\nencrypted.” Of course, he took me seriously and went off and created “TA-rcanary.” This TA uses fschange, a deprecated\r\nfeature of the Splunk UF (which still works), to monitor a single randomly named .docx file in a hidden directory on the\r\nWindows filesystem. Upon the first run, the .docx file is created in this directory. Then, a fschange entry is added to the\r\ninputs.conf, and every 15 seconds, this file is monitored for any changes. If any changes occur to it (copy of it, delete it,\r\nrename it, etc.), an event is generated and indexed in Splunk, as shown below. Keep in mind that this is a very new TA and\r\nwill probably need some changes, but if it helps, you have “Splunkspiration” and detects some encrypted files… all the\r\nbetter!\r\nConclusion\r\nWe know that many of you are coming to this blog not because you were impacted directly by the Kaseya ransomware\r\nincident but because you are worried that you might be affected in the future. Hopefully, the content above will provide you\r\nwith searches that give you the ability to have more visibility into your environment and detect (and we hope it never does) a\r\nransomware outbreak in your network. If they don’t work perfectly, think of them as “SplunkSpiration” :-).\r\nWe will update this blog and add new content as needed over the next week, but keep your eyes peeled for the upcoming\r\npublication on REvil ransomware by the Splunk Threat Research team. Furthermore, Splunk will be developing significantly\r\nmore content this month around ransomware. Workshops, webinars, Twitter Spaces, and much more, so watch out for those\r\ncoming soon.\r\nhttps://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html\r\nPage 7 of 9\n\nFinally, even though this blog primarily focused on ransomware, the more significant concern is that this attack appears to\r\nbe propagated via the software supply chain of the victims. We recognize what a big deal this is and have dedicated sessions\r\nat October’s .conf21 around this very topic. If you are new to Supply Chain attacks and want to learn how to defend your\r\norg against things like SolarWinds or Kaseya, consider attending my talk with Marcus LaFerrerra, “Hunting the known\r\nunknown: Supply Chain Attacks” (SEC-1745). If you are a defender whose company builds software, I’d suggest attending\r\n“Securing the software factory with Splunk” (SEC-1108) by Dave Herrald and Chris Riley. No matter what you do, I hope\r\nthat you could get some enjoyment this weekend and weren’t chained to the desk like we were. As always, happy hunting :-)\r\nAnd one more thing: As we’ve stated before, this blog ain’t the first time we’re covering our approach to Ransomware:\r\n.conf talks and videos\r\nSplunking the Endpoint 2016: Ransomware Edition! and Video\r\nHow Splunk Can Help You Prevent Ransomware From Holding Your Business Hostage\r\nWindows Ransomware Detection with Splunk (1 of 6) – Vulnerability Detection and Windows Patch Status\r\nDetections Blogs\r\nClop Ransomware Detection: Threat Research Release, April 2021\r\nRyuk and Splunk Detections Splunk Blog\r\nDetecting Ryuk Using Splunk Attack Range\r\nDarkside of the ransomware pipeline\r\nWhitepaper\r\nSplunk Security: Detecting Unknown Malware and Ransomware\r\nSplunk SOAR Responses\r\nAutomate Your Response to WannaCry Ransomware\r\nPlaybook: Detect, Block, Contain, and Remediate Ransomware\r\nMachine Learning Method\r\nDetect Ransomware in Your Data with the Machine Learning Cloud Service\r\nOperationalizing Detections\r\nOperationalize Ransomware Detections Quickly and Easily with Splunk\r\nBibliography/Reading list\r\nBeaumont, Kevin. GossiTheDog/ThreatHunting. 2017. 3 July 2021,\r\nhttps://github.com/GossiTheDog/ThreatHunting/blob/9e3a20d7c046bd7aac765a1a7df762ac7e3acffe/AdvancedHuntingQueries/KaseyaRansomw\r\n---. “Kaseya Supply Chain Attack Delivers Mass Ransomware Event to US Companies.” Medium, 3 July 2021,\r\nhttps://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b.\r\nCado-Security/DFIR_Resources_REvil_Kaseya. 2021. Cado Security, 2021. GitHub, https://github.com/cado-security/DFIR_Resources_REvil_Kaseya.\r\n---. 2021. 4 July 2021, https://github.com/cado-security/DFIR_Resources_REvil_Kaseya.\r\ncdoman1. “Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack.” Cado\r\nSecurity, 3 July 2021, https://www.cadosecurity.com/post/resources-for-dfir-professionals-responding-to-the-revil-ransomware-kaseya-supply-chain-attack.\r\nE, Mehmet. Cyb3r-Monk/Threat-Hunting-and-Detection. 2020. 3 July 2021, https://github.com/Cyb3r-Monk/Threat-Hunting-and-Detection/blob/4217cfec566f7f3b30d6e227fd3870a47ca390f6/Command%20and%20Control/Suspicious%20Network%20Connections%20-\r\n%20Supply%20Chain%20Attack.md.\r\nFacebook, Share on, et al. “Supply Chain Attack on Kaseya Infects Hundreds with Ransomware: What We Know.”\r\nVentureBeat, 3 July 2021, https://venturebeat.com/2021/07/03/supply-chain-attack-on-kaseya-infects-hundreds-of-victims-with-ransomware-what-we-know/.\r\nhttps://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html\r\nPage 8 of 9\n\nGevers, Victor. “Kaseya Case Update 2.” DIVD CSIRT, 4 July 2021, https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/.\r\nHammond, John. Rapid Response: Mass MSP Ransomware Incident. https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident. Accessed 4 July 2021.\r\nhuntresslabs. “Crticial Ransomware Incident in Progress.” R/Msp, 2 July 2021,\r\nwww.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/.\r\n“Important Notice July 3rd, 2021.” Kaseya, https://helpdesk.kaseya.com/hc/en_gb/articles/4403440684689-Important-Notice-July-3rd-2021. Accessed 3 July 2021.\r\nKaseya Ransomware Supply Chain Attack: What You Need To Know. https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain. Accessed 3 July 2021.\r\n“Kaseya Supply‑chain Attack: What We Know so Far.” WeLiveSecurity, 3 July 2021,\r\nhttps://www.welivesecurity.com/2021/07/03/kaseya-supply-chain-attack-what-we-know-so-far/.\r\nKaseya VSA Supply-Chain Ransomware Attack. https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers. Accessed 3 July 2021.\r\nMark Loman @🏡. “We Are Monitoring a REvil ‘supply Chain’ Attack Outbreak, Which Seems to Stem from a Malicious\r\nKaseya Update. REvil Binary C:\\Windows\\mpsvc.Dll Is Side-Loaded into a Legit Microsoft Defender Copy, Copied into\r\nC:\\Windows\\MsMpEng.Exe to Run the Encryption from a Legit Process.” @markloman, 2 July 2021,\r\nhttps://twitter.com/markloman/status/1411035534554808331.\r\nMehmet Ergene. “How to Detect Software Supply Chain Attacks with #Sysmon, #MicrosoftDefender, or Any Other #EDR:\r\n1. You Use Specific Software in Your Environment. 2. The Software Is Usually Installed on a Few Servers That Have\r\nPrivileges across the Environment.” @Cyb3rMonk, 3 July 2021,\r\nhttps://twitter.com/Cyb3rMonk/status/1411404182054178826.\r\nShutdown Kaseya VSA Servers Now amidst Cascading REvil Attack against MSPs, Clients | Malwarebytes.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients/amp/?__twitter_impression=true. Accessed 3 July 2021.\r\nSplunk Security Content Analytic Story - Splunk Documentation.\r\nhttps://docs.splunk.com/Documentation/ESSOC/3.24.0/stories/UseCase#Revil_ransomware. Accessed 3 July 2021.\r\nThreat-Hunting-and-Detection/Suspicious Network Connections - Supply Chain Attack.Md at Main · Cyb3r-Monk/Threat-Hunting-and-Detection. https://github.com/Cyb3r-Monk/Threat-Hunting-and-Detection/blob/main/Command%20and%20Control/Suspicious%20Network%20Connections%20-\r\n%20Supply%20Chain%20Attack.md. Accessed 3 July 2021.\r\nWill, Bushido. “My Current @MaltegoHQ Graph Researching the #REvil Supply-Chain Attack on #Kaseya:\r\nHttps://T.Co/TOk1tiqr4S.” @BushidoToken, 3 July 2021, https://twitter.com/BushidoToken/status/1411469864653496321.\r\nSource: https://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html\r\nhttps://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html"
	],
	"report_names": [
		"kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434564,
	"ts_updated_at": 1775791320,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9513bc8fe2c3513752ce8977fa2a70d440064ed6.pdf",
		"text": "https://archive.orkl.eu/9513bc8fe2c3513752ce8977fa2a70d440064ed6.txt",
		"img": "https://archive.orkl.eu/9513bc8fe2c3513752ce8977fa2a70d440064ed6.jpg"
	}
}