{
	"id": "37c6e3b2-ccad-4b4d-8863-b01f338a5014",
	"created_at": "2026-04-06T00:18:55.868959Z",
	"updated_at": "2026-04-10T03:21:57.994242Z",
	"deleted_at": null,
	"sha1_hash": "b161df7a8e69063b0c5f1925e9921893088015bf",
	"title": "Kaseya Ransomware Supply Chain Attack: What You Need To Know",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52102,
	"plain_text": "Kaseya Ransomware Supply Chain Attack: What You Need To\r\nKnow\r\nBy About the Author\r\nArchived: 2026-04-05 20:30:08 UTC\r\nUPDATE July 5 2021: Our blog has been updated with more details on how the ransomware was executed along\r\nwith additional protection information.\r\nSeveral hundred organizations have been targeted by the REvil (aka Sodinokibi) ransomware in a supply chain\r\nattack involving Kaseya VSA software and multiple Managed Service Providers (MSPs) who use it. News of the\r\nattack broke yesterday (Friday 3 July), prompting Kaseya to urge VSA users to shut down their VSA servers to\r\nprevent them from being compromised. The attack may have been timed to coincide with the 4th of July holiday\r\nweekend in the U.S., where many organizations may be lightly staffed.\r\nAre Symantec customers protected?\r\nYes, Symantec Endpoint products proactively blocked tools used to deliver the ransomware payload in this wave\r\nof attacks.\r\nHow many organizations are affected?\r\nAccording to Kaseya only a very small percentage of their customers were affected, “currently estimated at fewer\r\nthan 40 worldwide”. However, each of those organizations may be MSPs with multiple customers. Current reports\r\nsuggest hundreds of victims.\r\nHow was REvil delivered to computers during these attacks?\r\nWhile the exploit used to breach Kaseya VSA server side has not yet been fully documented, it is known that the\r\nattackers delivered a malicious script and an ASCII PEM named agent.crt to Kaseya VSA clients. The dropper\r\nmasqueraded inside the ASCII PEM file, which was decoded using certutil after attempts to disable Microsoft\r\nDefender. It dropped two resources, an old, but legitimate copy of Windows Defender (MsMpEng.exe) and\r\ncustom malicious loader. The dropper writes the two files to disk and executes MsMpEng.exe which then side\r\nloads and executes the custom loader's export (mpsvc.dll).\r\nWhat was the motivation for the attacks?\r\nREvil attacks are usually financially motivated. However, there are some signs that the attacks may be politically\r\nmotivated disruption. The attackers have, on occasion, appeared to have a political motive in their selection of\r\ntargets.\r\nIn this attack, strings in the payload made references to President Joe Biden, ex-president Donald Trump, and\r\nBlack Lives Matter. The attackers demanded a ransom of $45,000, which may be another reference to Trump, who\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain\r\nPage 1 of 3\n\nwas the 45th president of the U.S.\r\nFurthermore, REvil’s Tor payment site is down at the time of writing, meaning victims will have no way of paying\r\na ransom. Whether the group is having technical difficulties or whether it never intended to collect a ransom\r\nremains unclear.\r\nWhat is REvil/Sodinokibi?\r\nREvil (detected as Ransom.Sodinokibi) is a family of ransomware developed by a cybercrime group Symantec\r\ncalls Leafroller. The ransomware is used in targeted attacks, where the attackers attempt to encrypt all computers\r\non the victim’s network in the hope of extorting a large ransom. The group is known to steal victim data prior to\r\nencryption and threaten to release it unless a ransom is paid.\r\nLeafroller is one of the most established and prolific targeted ransomware groups in operation. Prior to its\r\ndevelopment of REvil, the group was associated with an older ransomware family known as Gandcrab. Leafroller\r\nis known to operate a Ransomware-as-a- Service, where its sells its tools to collaborators known as affiliates in\r\nexchange for a cut of any ransom payments they obtain.\r\nProtection/Mitigation\r\nTools associated with these attacks will be detected and blocked on machines running Symantec Endpoint\r\nproducts.\r\nFile-based protection:\r\nDownloader\r\nHeur.AdvML.C\r\nPacked.Generic.618  \r\nRansom.Sodinokibi \r\nTrojan.Gen.2  \r\nTrojan.Gen.MBT \r\nWS.Malware.1   \r\nWS.Malware.2\r\nNetwork-based protection:\r\nRansom.Gen Activity 29\r\nAudit: Ransom.Gen Activity 55\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nd55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e - Dropper\r\ndf2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e - Dropper\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain\r\nPage 2 of 3\n\ndc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f  - Dropper\r\naae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7  - Dropper\r\n66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8  - Dropper\r\n81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471  - Dropper\r\n1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98e  - Dropper\r\n8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd  - Sodinokibi\r\ne2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2  - Sodinokibi\r\nd8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20  - Sodinokibi\r\nd5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f  - Sodinokibi\r\ncc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6  - Sodinokibi\r\n0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402  - Sodinokibi\r\n8e846ed965bbc0270a6f58c5818e039ef2fb78def4d2bf82348ca786ea0cea4f  - Sodinokibi\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain"
	],
	"report_names": [
		"kaseya-ransomware-supply-chain"
	],
	"threat_actors": [],
	"ts_created_at": 1775434735,
	"ts_updated_at": 1775791317,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b161df7a8e69063b0c5f1925e9921893088015bf.pdf",
		"text": "https://archive.orkl.eu/b161df7a8e69063b0c5f1925e9921893088015bf.txt",
		"img": "https://archive.orkl.eu/b161df7a8e69063b0c5f1925e9921893088015bf.jpg"
	}
}