REvil Ransomware Hits Kaseya VSA in Massive Supply-Chain Attack

The REvil ransomware crew exploited a previously unknown zero-day vulnerability in Kaseya VSA — a remote monitoring and management product widely used by managed service providers — to push ransomware payloads to an estimated 1,500 downstream business customers, in one of the most consequential supply-chain attacks on record.

The attack, which began Friday afternoon ahead of the U.S. Independence Day weekend, hit approximately 60 MSPs directly. Because MSPs typically administer infrastructure for dozens to hundreds of small and mid-sized business clients, the blast radius rapidly expanded through trusted-deployment channels. Coop, a Swedish grocery chain, was forced to close roughly 800 stores after its point-of-sale systems were encrypted via a Visma EssCom-managed deployment.

The exploited vulnerability, now tracked as CVE-2021-30116, is an authentication-bypass flaw in the VSA web interface that had been independently reported to Kaseya by the Dutch Institute for Vulnerability Disclosure (DIVD) prior to the attack. DIVD researchers were in active coordination with Kaseya on a patch when REvil affiliates began exploitation.

REvil set a $70 million universal ransom demand in exchange for a decryption tool that would unlock all victims, and offered lower per-victim pricing through its standard negotiation channel. The group's dark-web infrastructure unexpectedly went offline two weeks later in what observers attribute to Russian government pressure following a call between Presidents Biden and Putin.

Kaseya has since released patches and rolled out hardened on-premises deployment guidance. CISA and the FBI issued joint guidance for MSPs to harden remote-management tools, segment customer environments, and implement multi-factor authentication on management consoles.