Kaseya crippled by supply chain attack

Edward Kost
Edward Kost
July 5, 2021

The two largest threats to cybersecurity are supply chain attacks and ransomware attacks, but a combination of the two creates a new sinister breed of cyber threat.

The Russian ransomware gang REvil, inspired by the SolarWinds wreckage caused by their comrades, SVR, launched a supply chain attack to distribute their ransom software.

The target was Florida-based  IT company Kaseya. REvil compromised Kaseya VSA servers and are currently using them to deploy and distribute their ransomware. 

The ransomware encryptors are contained in the file agent.exe. When this file is activated, both an old yet legitimate, copy of Windows Defender MsMpEng.exe, and the encryptor payload mpsvc.dll. are dropped into the C:\Windows path to DLL sideload - a process where a malicious DLL file is loaded in place of a legitimate one.

Kaseya supply chain attack DLL sideloading process - Source: huntress.com
Kaseya supply chain attack DLL sideloading process - Source: huntress.com

Several hundred organizations were impacted, including Kaseya VSA software customers and multiple Managed Service Providers (MSP) that use the VSA solution.

Sweden suffered a heavy blow. State railways and a major pharmacy chain were affected, as well as 800 stores from the grocery chain Coop.

The Cybersecurity & Infrastructure Security Agency (CISA) recommends impacted organizations follow Kaseya’s advice of immediately shutting down all VSA servers until further notice

The cyberattack occurred on the Friday of the 4th of July holiday weekend, sparking speculation that the attack was motivated by political tensions rather than financial gain, like most ransomware attacks.

REvil is a family of ransomware developed by a Russian cybercriminal group. The ransomware is detected in antivirus scans as Ransom.Sodinokibi. REvil threat actors have achieved a reputation of launching some of the most devastating ransomware attacks against high-profile organizations.

Investigations are still ongoing, but the impact of this cyberattack is expected to be colossal. 

Each confirmed victim so far provides services to customers, that might eventually discover that they’ve also been breached. Such a pernicious domino effect occurred with the Accellion supply chain attack.

But unlike historical supply chain attacks, this one is very different. Victims are being infected with ransomware, where sensitive data is encrypted and only liberated if a ransom is paid, which, on average costs $170,000.

If victim behavior aligns with statistical trends, almost half will pay a ransom, funding future attacks, and only 29% will restore their seized files, whether or not a ransom is paid.

These figures, as disturbing as they are, only correspond to ransomware attack events. They could shift dramatically when the destructiveness of ransomware is coupled with the pervasiveness of a supply chain attack.

How secure is Kaseya?

Kaseya Limited is an American software company that develops software for managing networks, systems, and information technology infrastructure.
  • Check icon
    View our free preliminary report on Kaseya’s security posture
  • Check icon
    13 risk factors, including email security, SSL, DNS health, open ports and common vulnerabilities
Security ratings
Abstract shape
Deliver icon

Sign up for our newsletter

Stay up-to-date on everything UpGuard with our monthly newsletter, full of product updates, company highlights, free cybersecurity resources, and more.
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

Protect your organization

Get in touch or book a free demo.
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan rating