{ "id": "ea8c9fe8-c22d-4160-a333-30dd16fcf538", "created_at": "2026-04-06T00:21:23.437608Z", "updated_at": "2026-04-10T03:20:48.855682Z", "deleted_at": null, "sha1_hash": "b5f250bd63a37e2560dde86443f3494a3e33098a", "title": "REvil ransomware gang executes supply chain attack via malicious Kaseya update", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 172133, "plain_text": "REvil ransomware gang executes supply chain attack via malicious\r\nKaseya update\r\nBy Catalin Cimpanu\r\nPublished: 2023-01-18 · Archived: 2026-04-05 19:51:24 UTC\r\nThe REvil ransomware gang appears to have gained access to the infrastructure of Kaseya, a provider of remote\r\nmanagement solutions, and is using a malicious update for the VSA software to deploy ransomware on enterprise\r\nnetworks.\r\nThe incident, believed to have impacted thousands of companies across the world, first came to light earlier today\r\nin a Reddit section dedicated to managed service providers (MSPs) -- companies that provide remote IT services\r\nto smaller businesses lacking an IT department and which are usually Kaseya's primary customerbase.\r\nAccording to security firm Sophos and Kaseya customers who spoke with The Record, the malicious Kaseya\r\nupdate is reaching VSA on-premise servers, from where, using the internal scripting engine, the ransomware is\r\ndeployed to all connected client systems.\r\nPer Mark Loman, a Sophos malware analyst, on a host systems, the REvil gang disables local antivirus solutions\r\nand then deploys a fake Windows Defender app that runs the actual ransomware binary that encrypts a victim's\r\nfiles.\r\nWe are monitoring a REvil 'supply chain' attack outbreak, which seems to stem from a malicious\r\nKaseya update. REvil binary C:\\Windows\\mpsvc.dll is side-loaded into a legit Microsoft Defender\r\ncopy, copied into C:\\Windows\\MsMpEng.exe to run the encryption from a legit process.— Mark\r\nLoman (@markloman) July 2, 2021\r\nIn a Zoom call today, Mark Loman, malware analyst for security firm Sophos, told The Record that the attack is\r\nmassive in nature, based on the company's telemetry, which helped the Sophos team spot the attack early on.\r\nLoman said that companies who have been impacted are seeing ransom notes of $50,000 (if their infected systems\r\nis not domain joined) or $5 million (if the computer is domain joined, and a clear sign the system is part of a large\r\ncorporate network).\r\nIn a Reddit post, security firm Huntress Labs said it is aware of at least eight MSPs that have been impacted by\r\ntoday's incident, and at least 200 businesses that have had networks encrypted, based on its visibility alone.\r\nKaseya tells customers to take VSA servers offline\r\nIn an email earlier today, a Kaseya representative confirmed the attacks to The Record, pointing us to a support\r\npage that was urging all VSA owners to take their systems offline until further notice.\r\nhttps://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/\r\nPage 1 of 4\n\nIn addition, besides advising customers to shut off their VSA servers, Kaseya has also shut down its own cloud\r\ninfrastructure in what looks like an attempt to stop the malicious updates going out and an attempt to root out the\r\nREvil gang off its systems.\r\nKaseya is advising onprem users to shut their servers off. They brought their entire cloud offline. Short\r\nof screaming \"We've been hacked!\" it's pretty certain that they feel it's origin is them.—\r\nCONDITION.BLACK | RESEARCH AND INTELLIGENCE (@Shadow0pz) July 2, 2021\r\nFollowing news of today's massive supply chain attack via Kaseya's software, the US Cybersecurity and\r\nInfrastructure Security Agency said it was looking into the incident and how to address it.\r\nToday's incident also marks the third time that a ransomware gang abused Kaseya products to deploy ransomware.\r\nIn February 2019, the Gandcrab ransomware gang abused a vulnerability in a Kaseya plugin for the ConnectWise\r\nManage software to deploy ransomware on the networks of MSPs' customer networks.\r\nAfter the Gandcrab gang rebranded as REvil, they pulled a second attack against MSPs in June 2019, when they\r\nabused Webroot SecureAnywhere and Kaseya VSA products to deploy ransomware again from MSPs to their\r\ncustomer networks.\r\nIndicators of compromise (IOCs) from today's attack are currently available in a Sophos Community page.\r\nUpdate: Five hours after this article was published, Kaseya CEO Fred Voccola provided the following statement to\r\nThe Record in regards to today's incident (reproduced in full with no alterations):\r\nhttps://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/\r\nPage 2 of 4\n\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/\r\nPage 3 of 4\n\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/\r\nhttps://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/" ], "report_names": [ "revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update" ], "threat_actors": [], "ts_created_at": 1775434883, "ts_updated_at": 1775791248, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b5f250bd63a37e2560dde86443f3494a3e33098a.pdf", "text": "https://archive.orkl.eu/b5f250bd63a37e2560dde86443f3494a3e33098a.txt", "img": "https://archive.orkl.eu/b5f250bd63a37e2560dde86443f3494a3e33098a.jpg" } }