Kaseya VSA supply-chain ransomware (REvil)

On Friday afternoon, 2 July 2021, hours before the long U.S. Independence Day weekend, REvil ransomware affiliates exploited a SQL injection zero-day in Kaseya VSA — a remote-management platform used by Managed Service Providers (MSPs) — to push their encryptor through Kaseya's update mechanism to roughly 60 MSPs and from there to between 1,500 and 2,000 downstream organisations. It was the largest supply-chain ransomware attack on record and the first to demonstrate the catastrophic blast radius of compromising the MSP layer.

What happened

The attack chain was unusually clean. REvil operators:

Exploited CVE-2021-30116, a SQL injection vulnerability in Kaseya VSA's web interface. The vulnerability had been privately reported to Kaseya by the Dutch Institute for Vulnerability Disclosure in April 2021 and was in the process of being patched when REvil weaponised it.
Authenticated to the VSA platform via the injected SQL, then exploited an authentication bypass to obtain administrative session tokens.
Pushed the REvil encryptor through the VSA update channel, disguising it as a "VSA Agent Hot-fix". Because VSA agents run as SYSTEM on every endpoint they manage, the encryptor executed with full privileges on every workstation, server, and POS terminal connected to an affected MSP.
Disabled Microsoft Defender before encryption via signed scripts that VSA legitimately uses.

By the time Kaseya detected the attack at approximately 14:00 EDT on 2 July and instructed all on-prem VSA customers to shut down servers, the encryptor had already propagated. Within hours, retail point-of-sale terminals, accounting systems, dental practice EMRs, and small-business backups had been encrypted across six continents.

Impact

Coop (Sweden): closed all 800 grocery stores for several days after every point-of-sale terminal was encrypted. The single most visible impact of the attack.
Synnex / VirtualSystems / IT By Design and other MSPs: each had dozens of customers encrypted simultaneously, in some cases destroying the MSP's business model.
Roughly 1,500 small and mid-sized businesses worldwide had at least some systems encrypted.
Total estimated direct and indirect damage: $150–300 million.

REvil's ransom demand was unusual: a single $70 million payment for a universal decryptor. The framing of the demand (universal rather than per-victim) suggested the attackers had not anticipated the scale of the impact and were attempting to package a clean exit.

Response

On 13 July 2021, REvil's infrastructure went offline. Public reporting at the time speculated about Russian government pressure following a Biden-Putin call. The actual mechanism was later confirmed by the FBI: U.S. operators had compromised REvil's infrastructure during the attack, leading to the eventual recovery of:

A universal decryptor that the FBI provided to Kaseya, which Kaseya then distributed free to affected customers on 22 July.
Operator communications and cryptocurrency wallets that supported the subsequent arrest of Yaroslav Vasinskyi at the Polish-Ukrainian border on 8 October 2021.

Vasinskyi was extradited to the United States in March 2022 and sentenced on 1 May 2024 to 13 years 7 months federal prison plus $16 million in restitution — one of the very few ransomware operators to actually face trial in a Western courtroom.

Why it matters

Kaseya is the canonical case for MSP-as-supply-chain risk. The attack revealed:

The MSP layer is a force-multiplier for ransomware: compromise one MSP and you compromise every customer downstream.
Patch windows matter operationally: REvil exploited CVE-2021-30116 during the brief window between private disclosure and public patch.
Hands-on-keyboard response works: the FBI's covert infrastructure access during the active incident yielded both the decryptor and the operator identification that supported the eventual conviction.
Long-weekend timing is the standard ransomware playbook: the Friday-before-July-4 timing is now the canonical example of intentional weekend / holiday targeting.

Timeline

April 1, 2021

Dutch Institute for Vulnerability Disclosure (DIVD) discovers CVE-2021-30116 and CVE-2021-30117 in Kaseya VSA and privately reports them to Kaseya.

2021-04 / 2021-06

Kaseya and DIVD coordinate fixes; some patches are deployed but the SQL injection (CVE-2021-30116) remains unpatched as REvil prepares its weaponisation.

July 2, 2021

At ~12:30 EDT on Friday afternoon ahead of the U.S. Independence Day long weekend, REvil affiliates exploit CVE-2021-30116 against Kaseya VSA on-prem servers and push the REvil encryptor disguised as a 'VSA hotfix'.

July 2, 2021

Kaseya detects the attack and within hours instructs all on-prem VSA customers to shut down servers immediately. ~60 MSPs and ~1,500 downstream organisations are encrypted.

July 4, 2021

Coop, Sweden's second-largest grocery chain, closes all 800 stores after their point-of-sale terminals are encrypted via a downstream MSP.

July 5, 2021

REvil publishes a single ransom demand on its leak site: $70 million for a universal decryptor.

July 13, 2021

REvil's infrastructure mysteriously goes offline. The U.S. government is widely believed to have applied pressure on Russia; the FBI later confirms it had quietly compromised REvil infrastructure during the attack.

July 22, 2021

Kaseya obtains a universal decryptor (origin attributed to the FBI's REvil-infrastructure access) and provides it free to affected customers.

October 8, 2021

Yaroslav Vasinskyi is arrested at the Polish-Ukrainian border on a U.S. warrant.

May 1, 2024

Vasinskyi sentenced to 13 years 7 months and ordered to pay $16M restitution.

Related incidents

RansomwareRansom paidMay 30, 2021

JBS Foods REvil ransomware

REvil affiliates encrypted the world's largest meat processor, shutting down beef and pork plants across the U.S., Canada, and Australia. JBS paid an $11 million ransom — one of the largest publicly-confirmed ransomware payments at the time.

Victim: JBS S.A. / JBS USA
Loss: $100.0M

WiperResolvedJune 27, 2017

NotPetya destructive wiper

A destructive wiper disguised as ransomware, propagated via a compromised Ukrainian accounting software update. Estimated $10 billion in global damage — the most economically destructive cyberattack in history.

Victim: M.E.Doc users (Maersk, Merck, FedEx-TNT, Mondelez, Saint-Gobain et al.)
Loss: $10.00B

RansomwareContainedMay 12, 2017

WannaCry ransomware worm

A North Korean ransomware worm that exploited the EternalBlue SMB vulnerability to spread to ~200,000 systems across 150 countries in 24 hours. Paralysed the U.K.'s NHS and crippled manufacturing globally.

Victim: ~200,000 organizations worldwide (UK NHS, Telefónica, Renault, Deutsche Bahn, Honda et al.)
Loss: $6.00B

Supply chainContainedDecember 13, 2020

SolarWinds SUNBURST supply-chain compromise (Cozy Bear)

Russian SVR operators trojanized SolarWinds Orion build infrastructure, distributing a backdoored update to 18,000 customers including the U.S. Treasury, Commerce, DHS, State, and Energy departments. The defining state cyberespionage operation of the decade.

Victim: SolarWinds (Orion customers — ~18,000 organisations including 9 U.S. federal agencies and Microsoft, FireEye, Mimecast)
Loss: $100.00B