Security Experts:

Connect with us

Hi, what are you looking for?



IT Software Firm Kaseya Hit By Supply Chain Ransomware Attack

Supply chain cyberattack could have wide blast radius through compromised MSPs

Supply chain cyberattack could have wide blast radius through compromised MSPs

Software maker Kaseya Limited is urging users of its VSA endpoint management and network monitoring tool to immediately shut down VSA servers to prevent them from being compromised in a widespread ransomware attack.

According to Kaseya, the attack began around 2PM ET on Friday. The company said that while the incident only appears to impact on-premises customers, SaaS servers have also been shut down as a precautionary measure.

While the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) had not yet issued an official alert as of early Saturday, the agency said late Friday that it was “taking action to understand and address the recent supply-chain ransomware attack against Kaseya VSA and the multiple managed service providers (MSPs) that employ VSA software.”

Timing of the attack is certainly no coincidence, as IT and security teams are likely to be understaffed and slower to respond due to the 4th of July holiday weekend in the United States.

“While our early indicators suggested that only a very small number of on-premises customers were affected, we took a conservative approach in shutting down the SaaS servers to ensure we protected our more than 36,000 customers to the best of our ability,” the company said.

Kaseya says it’s working on a patch for on-premises customers, and that patch will need to be installed before VSA is restarted. “We will release that patch as quickly as possible to get our customers back up and running,” the company said.

According to security firm Huntress, at least 8 managed service providers (MSPs) have been compromised, with more than 200 of their customers already impacted.

Kaseya currently estimates that less than 40 of its customers have been affected. 

The attack appears to have involved exploitation of a vulnerability and the delivery of a malicious Kaseya VSA software update. The update has delivered a piece of ransomware that encrypts files on compromised systems.

According to security researcher Kevin Beaumont, VSA runs with administrator privileges, which has enabled the attackers to also deliver the ransomware to the customers of the impacted MSPs. 

On compromised systems, the malware attempts to disable various Microsoft Defender for Endpoint protections, including real time monitoring, IPS, script scanning, network protection, cloud sample submission, cloud lookup, and controlled folder access, Beaumont said.

To make matters worse, VSA admin accounts are apparently disabled just before the ransomware is deployed. 

According to Huntress, the attack appears to have been carried out by a REvil/Sodinokibi ransomware-as-a-service affiliate. Sophos and others also confirmed that REvil was involved.

REvil ransomware note to Kaseya VSA victims

“REvil binary C:Windowsmpsvc.dll is side-loaded into a legit Microsoft Defender copy, copied into C:WindowsMsMpEng.exe to run the encryption from a legit process,” explained Sophos’ Mark Loman.

The ransomware encryptor is signed with a valid digital signature belonging to a transportation company in Canada.

In some cases, the attackers appear to have demanded $50,000 while in others they reportedly demanded a $5 million ransom from victims. REvil attacks typically also involve the theft of data from compromised systems in an effort to pressure the victim into paying the ransom. However, it’s unclear if any files were stolen in these attacks considering that the attackers may not have had too much time on victim systems before the Kaseya breach came to light.

The REvil ransomware was also used recently in an attack aimed at meat packaging giant JBS, which paid $11 million to the hackers to ensure that the files they stole would not be made public.

Indicators of compromise (IOCs) for this attack have been shared by Huntress, Sophos, and Kevin Beaumont. Emsisoft’s Fabian Wosar has shared a copy of the ransomware encryptor configuration

Incident Response Impact

Experts are sounding the alarm over the fact that many firms use Kaseya’s tool as part of their incident response process, and losing the ability to leverage the tool could pose a big problem.

“This type of a supply chain attack, similar to the SolarWinds attack, goes straight to the jugular of organizations looking to recover from a breach,” added Chris Grove, technology evangelist with Nozomi Networks. “These types of technology management solutions can have high concentrations of risk due to their large collection of enterprise accounts with elevated privileges, unrestricted firewall rules needed for them to operate, and a cultural ‘trust’ that the traffic to/from them is legitimate and should be allowed.”

“Once a breach happens, the victim would generally reach for these tools to work their way out of a bad situation, but when the tool itself is the problem, or is unavailable, it adds complexity to the recovery efforts,” Grove said. 

“It’s hard to explain how devastating this is for Kaseya VSA customers,” said Jake Williams, co-founder and CTO at BreachQuest. “Most of our customers who use Kaseya employ it as their single IT tool for systems management, software installation, and visibility. Now, during a ransomware event, they’re unable to use this tool they’ve invested in for remediation. Most Kaseya customers we’ve worked with have no contingency plan for this. Even worse, given the holiday weekend in the US, we’re unlikely to know the full impact of this until next week.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.