Kaseya VSA REvil Supply Chain Ransomware — 1,500 Businesses, $70M Demand

📅 2021-07-01 🏢 Kaseya VSA remote monitoring and management (RMM) platform 🦠 REvil (Sodinokibi) ransomware

Incident Details

See comprehensive record: data/supply-chain/2021-07_kaseya-vsa-revil.yaml. Kaseya VSA is used by MSPs (Managed Service Providers) to remotely manage client endpoints — a single Kaseya VSA server compromise simultaneously encrypted all managed endpoints across all of an MSP’s clients. Approximately 1,500 businesses in 17 countries were encrypted in 2 hours. REvil demanded $70M for a universal decryptor.

Technical Details

Initial Attack Vector: REvil exploited multiple zero-day vulnerabilities in Kaseya VSA (CVE-2021-30116, CVE-2021-30119, CVE-2021-30120) to push malicious script execution to all managed endpoints without authentication; exploitation was conducted over the Independence Day holiday weekend
Vendor / Product: Kaseya VSA remote monitoring and management (RMM) platform
Malware Family: REvil (Sodinokibi) ransomware
Supply Chain Attack: ✅ Confirmed third-party / vendor compromise

Timeline

2021-07-01 Breach occurred
2021-07-01 Publicly disclosed