Kaseya - REvil Ransomware Distributed via Compromise at IT Solutions Provider

By Jonathan Leach, Cyber Security Anaylst, CyberGuard Technologies:


Threat actors behind the notorious REvil cybercrime operation appear to have pushed ransomware via an update to Kaseya's IT management software, hitting around “40” customers worldwide, in what is an instance of a widespread supply-chain ransomware attack.

This was a statement shared on Friday by the company’s CEO Fred Voccola:

“Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack.   Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only.”

Available information indicates that PINCHY SPIDER, or an affiliate, compromised Kaseya via unknown means and used that access to deliver REvil to victims via Kaseya’s VSA product.

Kaseya has acknowledged “a potential attack against the VSA that has been limited to a small number of on-premise customers.” Other sources reported multiple managed service providers (MSPs) using the VSA product were victimized in this incident.

Details / IOCs

CrowdStrike Falcon OverWatch observed Kaseya’s monitor process write a single, encoded file to disk and execute a series of commands to disable security controls, decode a payload, and execute REvil. The encoded payload (agent.crt) is written to to a staging directory (often C:kworking) and is decoded and executed with the following series of cmd.exe commands:


  1. ping 127.0.0[.]1 -n 4786 is executed to provide an initial delay
  2. PowerShell is used to disable Microsoft Windows Defender-related security controls
  3. The Windows Certificate Utility (certutil.exe) is copied to C:Windowscert.exe
  4. cert.exe is executed to decode agent.crt to agent.exe in the staging directory
  5. The encoded payload (agent.crt) is deleted
  6. The payload (agent.exe) is executed

The agent.exe payload is a dropper that contains REvil ransomware and a legitimate Microsoft Windows Defender executable. The dropper writes the ransomware payload to C:Windowsmpsvc.dll, the Windows Defender executable to C:WindowsMsMpEng.exe, and executes it using CreateProcessW. This legitimate Microsoft Windows Defender executable was signed on 2014-03-24 01:34:00 (UTC) and is vulnerable to DLL search-order hijacking. Once executed, this signed, legitimate Microsoft binary loads and executes the REvil ransomware binary (mpsvc.dll). Technical analysis of the REvil payload is still ongoing.

Indicators of compromise (IOCs) observed in connection with this activity are listed in Table 1:

Table 1: IOCs related to July 2021 Kaseya Incident

REvil Dropper, Encoded



REvil Dropper, Decoded



REvil Ransomware



Legitimate Windows Defender executable




Mitigation recommendations

The following Prevention Policy setting is enabled to protect against this specific activity:

  • Kaseya has issued a statement advising Kaseya customers to immediately shut down their VSA servers until further notice.
  • A new Compromise Detection Tool will be available to Kaseya VSA customers. Request by sending an email to [email protected] with the subject “Compromise Detection Tool Request”.
  • All On-Premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations.


For further information and the latest information from Kaseya: 




- https://falcon.crowdstrike.com/intelligence 

- https://thehackernews.com/2021/07/kaseya-revil-ransomware-attack.html

- https://www.theverge.com/2021/7/2/22561252/revil-ransomware-attacks-systems-using-kaseyas-remote-it-management-software

- https://blog.talosintelligence.com/2021/07/revil-ransomware-actors-attack-kaseya.html

- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain