A Holiday Weekend Nightmare
On Friday, July 2, 2021 — the start of the U.S. Independence Day weekend — the REvil ransomware group launched a supply chain attack through Kaseya's VSA (Virtual System Administrator) platform. The timing was deliberate. Security teams were understaffed. Response times would be slow.
Kaseya VSA is a remote monitoring and management (RMM) tool used by managed service providers (MSPs) to administer their customers' IT infrastructure. By compromising Kaseya, REvil didn't just hit one company. They hit the MSPs, and through them, up to 1,500 downstream businesses — small to medium enterprises that relied on those MSPs for IT management.
REvil initially demanded $70 million for a universal decryptor. It was the largest ransomware demand in history at that point.
The Attack Chain
Exploiting Zero-Day Vulnerabilities
The attackers exploited multiple zero-day vulnerabilities in Kaseya VSA's on-premises servers. The primary vulnerability was CVE-2021-30116, an authentication bypass that allowed unauthenticated access to the VSA API.
Dutch security researchers at DIVD (Dutch Institute for Vulnerability Disclosure) had actually discovered and reported these vulnerabilities to Kaseya before the attack. Kaseya was working on patches. But REvil moved faster.
The Push Mechanism
Once the attackers had access to VSA servers, they used the platform's own functionality — the legitimate software update mechanism — to push a fake "Kaseya VSA Agent Hot-fix" to all managed endpoints. The update process was designed to bypass antivirus checks because VSA agents are trusted management tools.
The malicious update contained:
- A dropper disguised as a VSA update (
agent.crt) - The REvil ransomware payload
- A legitimate but outdated Windows Defender binary used for DLL side-loading
Execution
The payload exploited DLL side-loading in an old version of MsMpEng.exe (Windows Defender) to execute the ransomware. Because the execution chain used a legitimately signed Microsoft binary, it evaded many endpoint detection tools.
The ransomware encrypted files on the target systems and dropped a ransom note demanding payment in cryptocurrency. Individual ransoms ranged from $45,000 to $5 million depending on the perceived size of the victim.
The MSP Multiplier Effect
This attack demonstrated why MSP compromises are uniquely devastating. A typical MSP manages dozens to hundreds of customers. Kaseya reported that approximately 60 MSPs were directly affected. Through those 60 MSPs, the attack cascaded to an estimated 800 to 1,500 downstream businesses.
The victims included:
- Coop Sweden — One of Sweden's largest grocery chains, forced to close 800 stores because their point-of-sale systems were encrypted
- Dental offices, accounting firms, restaurants, and small businesses across the Americas and Europe
- Organizations with no direct relationship with Kaseya — they were victims through their MSP
These downstream victims had no visibility into or control over Kaseya's security posture. They trusted their MSP, who trusted Kaseya. The chain of trust was only as strong as its weakest link.
Timeline of Response
- July 2, 3:00 PM EDT — Kaseya detected the attack and immediately shut down its VSA SaaS infrastructure and advised on-premises customers to turn off VSA servers
- July 2-3 — Incident response teams (Mandiant, CISA, FBI) engaged
- July 4 — REvil claimed responsibility on their dark web blog and demanded $70 million
- July 11 — Kaseya released patches for the exploited vulnerabilities
- July 13 — REvil's dark web infrastructure went offline (later attributed to Russian government action)
- July 22 — Kaseya obtained a universal decryptor (source undisclosed, though FBI later confirmed they had obtained it)
Lessons from Kaseya
Software Vendors Are High-Value Targets
Kaseya, SolarWinds, Codecov — the pattern is clear. Attackers target software platforms that have privileged access to customer environments. RMM tools, CI/CD platforms, identity providers, and update mechanisms are the new attack surface.
Patch Windows Are Shrinking
DIVD had disclosed the vulnerabilities to Kaseya. Patches were in development. But the attackers exploited the gap between disclosure and patch deployment. This "patch race" is intensifying as vulnerability intelligence becomes more accessible to both defenders and attackers.
Third-Party Risk Is Your Risk
The businesses encrypted by REvil had no contractual relationship with Kaseya. They were three steps removed from the initial compromise. Yet they bore the full impact. Traditional vendor risk assessments that focus only on direct suppliers miss this cascading risk.
Trusted Channels Are the Best Attack Vector
The ransomware was delivered through the same channel as legitimate updates. It was pushed by a trusted management tool with elevated privileges. This is the core challenge of supply chain attacks — the attack looks identical to normal operations until the payload executes.
Defending Against MSP-Chain Attacks
For MSPs:
- Segment management infrastructure from customer environments
- Implement MFA on all management platforms
- Monitor for anomalous command execution through RMM tools
- Maintain offline backups that management tools can't reach
For MSP customers:
- Understand what tools your MSP uses and their access scope
- Ensure your contract includes security requirements and incident notification
- Maintain independent backup and recovery capabilities
- Monitor for unexpected software installations, even from management tools
How Safeguard.sh Helps
Safeguard.sh provides visibility into your software supply chain, including the management tools and third-party platforms that have access to your infrastructure. By maintaining a comprehensive inventory of software components and their trust relationships, the platform helps organizations understand their exposure when a vendor like Kaseya is compromised.
When a supply chain incident occurs, time is critical. Safeguard.sh enables rapid impact assessment — identifying which systems run affected software versions, which dependencies are exposed, and what remediation steps are needed. This reduces incident response time from days of manual investigation to minutes of automated analysis.
The platform also monitors for known vulnerabilities in your deployed software stack, including management tools and agents. When CVEs like those exploited in the Kaseya attack are published, Safeguard.sh immediately flags affected components across your environment, giving you the information to patch before attackers exploit the window between disclosure and remediation.