Anatomy of a Breach

Anatomy of a Breach: Kaseya VSA — REvil's Supply Chain Ransomware Attack on 1,500 Businesses

> series: anatomy_of_a_breach —— part: 151 —— target: kaseya_vsa —— ransomware: revil —— businesses: 1,500 —— demand: $70,000,000<span class="cursor-blink">_</span>_

Hedgehog Security 31 July 2021 14 min read
ransomware kaseya revil supply-chain msp 1500-businesses zero-day series
Breach #151

One vendor. 1,500 businesses. 800 supermarkets closed. $70 million demanded.

On 2 July 2021, REvil ransomware operators exploited zero-day vulnerabilities in Kaseya VSA — a remote monitoring and management (RMM) platform used by managed service providers (MSPs) to administer their clients' IT environments. By compromising Kaseya's on-premises VSA servers, the attackers pushed ransomware through the legitimate software update mechanism to the MSPs' clients — encrypting systems at approximately 1,500 businesses in a single coordinated attack.

The most visible casualty was Coop Sweden — a supermarket chain that was forced to close approximately 800 stores because its point-of-sale systems were encrypted through its MSP's connection to Kaseya. REvil initially demanded $70 million for a universal decryptor — the largest ransomware demand in history at the time. The attack combined the supply chain compromise methodology of SolarWinds with the mass ransomware deployment of WannaCry, delivered through the trusted relationship between MSPs and their clients — the same trust model that enables managed SOC services and managed security to function.

MSP as Attack Vector
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Your IT provider's tools are your attack surface.

Supply Chain + Ransomware = Maximum Impact
Kaseya combined two of the most devastating attack methodologies: supply chain compromise (accessing clients through a trusted vendor) and ransomware (encrypting for financial extortion). The result was ransomware deployed to 1,500 businesses simultaneously through a single attack. For UK organisations using MSPs, <a href="/cyber-essentials">Cyber Essentials</a> addresses MSP security requirements.
800 Supermarkets Closed
Coop Sweden's closure of 800 stores demonstrated the cascading real-world impact of supply chain ransomware — a supermarket chain was shut down not because it was attacked, but because its MSP's software vendor was compromised. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for the anomalous software deployment patterns that indicate supply chain attacks.
RMM Tools Are God Mode
RMM tools like Kaseya VSA are designed to manage and control client systems remotely — including pushing software updates and executing commands. When compromised, they provide attackers with the same capabilities the tool provides administrators: deployment of any software to any managed endpoint. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses RMM tool security and MSP access controls.
$70 Million Demand
REvil's $70 million demand for a universal decryptor was the largest ransomware demand ever — reflecting the scale of the attack (1,500 businesses). Shortly after the attack, REvil's infrastructure went offline, and in October 2021, Kaseya obtained a universal decryptor — reportedly through FBI intervention. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> coordinates with law enforcement during major ransomware incidents.
Lessons

Trust your MSP — but verify their security.

The Kaseya attack demonstrated that the trust relationship between organisations and their MSPs — while necessary — creates supply chain risk that must be managed. For UK organisations using managed IT services, the MSP's own security posture, the tools they use, and the access they have to your systems must be assessed as part of your security programme. Cyber Essentials addresses MSP security. Our infrastructure testing includes assessment of MSP access controls and RMM tool security. SOC in a Box monitors for supply chain indicators independently of your MSP. And UK Cyber Defence provides incident response when supply chain attacks affect your organisation.

MSP Security

Kaseya: one vendor, 1,500 businesses, 800 supermarkets closed. How much access does your MSP have?

Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses MSP access and RMM security. <a href="/cyber-essentials">Cyber Essentials</a> addresses MSP requirements. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors independently of your MSP.

Commission a Supply Chain Assessment Next: T-Mobile US (2021)
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 November 2024

Anatomy of a Breach: Blue Yonder — Supply Chain Ransomware Hits UK Supermarkets and Global Retailers

Breach #191. In November 2024, Blue Yonder — a major supply chain management software provider owned by Panasonic — was hit by ransomware that disrupted services for its global customer base. The attack affected warehouse management and logistics systems used by major retailers including Morrisons and Sainsbury's in the UK, and Starbucks in the US. Morrisons reported disruption to its warehouse management systems affecting the flow of goods to stores. The breach was the latest in a pattern of supply chain vendor attacks affecting UK retailers — from Blackbaud (2020) through Kaseya (2021) to MOVEit/Zellis (2023).

ransomware blue-yonder
13 min read
Anatomy of a Breach 31 May 2023

Anatomy of a Breach: MOVEit Transfer — Cl0p's Mass Exploitation Campaign That Hit 2,500 Organisations

Breach #173. In late May 2023, the Cl0p ransomware group began mass-exploiting a zero-day SQL injection vulnerability (CVE-2023-34362) in MOVEit Transfer — a managed file transfer (MFT) application used by thousands of organisations to securely exchange sensitive data. Cl0p had discovered and exploited the vulnerability before it was publicly known, deploying web shells on vulnerable MOVEit servers and exfiltrating data at industrial scale. The campaign ultimately affected over 2,500 organisations and exposed the personal data of more than 60 million individuals worldwide — making it the most impactful supply chain breach since SolarWinds.

moveit clop
15 min read
Anatomy of a Breach 31 October 2022

Anatomy of a Breach: Medibank — 9.7 Million Australians' Health Data Published After Ransom Refused

Breach #166. In October 2022, Australian health insurer Medibank disclosed that attackers had stolen the personal and health data of 9.7 million current and former customers — approximately 40% of Australia's population. When Medibank refused to pay the ransom, the attackers — linked to the Russian REvil group — published sensitive health claims data on the dark web, including records related to mental health treatment, drug and alcohol rehabilitation, pregnancy terminations, and HIV status. The publication of intimate health data as punishment for non-payment represented the darkest evolution of the double-extortion ransomware model.

data-breach medibank
14 min read
All Posts Get in Touch