Summary
On 2 July 2021, the Friday before the US holiday weekend, the REvil ransomware gang exploited a chain of zero-day flaws in Kaseya VSA, starting with CVE-2021-30116 (an unauthenticated credential leak), in a remote-monitoring-and-management tool used by managed service providers. By abusing VSA's trusted software-deployment mechanism, REvil pushed its encryptor through roughly 50 to 60 MSPs down to about 1,500 of their downstream business customers in one cascading supply-chain hit, including Sweden's Coop grocery chain, which closed about 800 stores. REvil demanded $70 million for a universal decryptor; a decryptor key was ultimately obtained and distributed without payment. It is the lesson that the management tools with the most reach are the highest-value targets and need the strongest controls.
How it happened
Kaseya VSA is the kind of software that runs the internet's plumbing without most people knowing it exists. It is a remote-monitoring-and-management (RMM) tool that managed service providers use to administer their customers' computers in bulk: pushing patches, installing software, running scripts, all with deep privilege on thousands of machines at once. That reach is exactly what made it a perfect weapon.
The REvil ransomware crew had a chain of zero-days in the internet-facing VSA server, beginning with an unauthenticated credential leak (CVE-2021-30116) that handed them a valid session and led on to code execution. They timed their strike for the Friday afternoon of a long holiday weekend, when IT teams were thinnest. Using the flaws, they pushed what looked like a routine Kaseya update through the trusted deployment channel; the VSA agents on every downstream endpoint accepted it because it came from their own management server. The update ran a script that first disabled Windows Defender, then used a legitimate, Microsoft-signed Defender binary to side-load REvil's encryptor, so the malware executed under a trusted process. One compromise of one product cascaded, through the MSPs that used it, to all of their customers at once, and from first exploit to mass encryption took under two hours. In a bitter detail, the Dutch disclosure institute DIVD, whose researcher Wietse Boonstra had found the bugs, had privately reported them to Kaseya months earlier, and Kaseya was finishing the patch when REvil struck first.
The damage
Roughly 1,500 businesses were ransomwared in a single stroke, almost none of which had ever heard of Kaseya: dentists, accountants, schools, and small firms whose IT was outsourced. The most visible victim was Sweden's Coop supermarket chain, which had to close about 800 stores because its checkout systems were frozen, though Coop was never a Kaseya customer itself; it was hit two hops down, through a managed-service provider (Visma Esscom) that ran VSA. REvil demanded a flat $70 million for a universal decryptor, or individual ransoms from $45,000 to $5 million. The saga ended unusually: the FBI quietly obtained REvil's universal decryption key by penetrating its infrastructure, then held it for about three weeks while planning a takedown, before finally sharing it so victims could recover for free. REvil's servers went dark soon after, the group was disrupted by a multi-country operation in October 2021, and in January 2022 Russia's FSB arrested members at the United States' request.
Why Kaseya still matters
Kaseya is the cleanest illustration of supply-chain blast radius through trust. The tools with the most reach, RMM, software deployment, MSP platforms, are precisely the ones an attacker wants, because compromising one of them compromises everyone downstream simultaneously. It also showed that timing is a weapon: attackers strike on holidays and weekends on purpose, and a fully automated cascade can outrun any human response (here, under two hours). The defences are to treat RMM and deployment tooling as crown-jewel infrastructure (minimal internet exposure, MFA, strict segmentation), patch internet-facing management servers on the shortest possible SLA, constrain and alert on what those tools can deploy, apply application allowlisting so an unexpected pushed binary cannot run, and keep offline backups, because a cascading attack hits many victims at once. It belongs in the same story as SolarWinds: trusted management software turned into a delivery mechanism.
How to fix it
- Take the affected RMM or management server offline immediately, then patch and rebuild before reconnecting.
- Isolate and restore impacted downstream endpoints from clean offline backups.
- Rotate every credential and key the management tool held or could reach.
- Coordinate with affected MSP customers and trace how the deployment channel was abused.
How to avoid it
- Treat RMM, deployment, and MSP tooling as crown-jewel infrastructure: minimal exposure, MFA, and strict network segmentation.
- Keep internet-facing management servers patched on the shortest possible SLA, and do not expose them publicly when it can be avoided.
- Constrain and monitor what management tools can deploy, and alert on unexpected mass-deployment actions.
- Apply application allowlisting on endpoints so an unexpected pushed binary cannot execute.
- Keep tested, offline backups and a rehearsed response plan; cascading MSP attacks hit many victims at once.
References
- https://csirt.divd.nl/cases/DIVD-2021-00011/
- https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident
- https://www.csoonline.com/article/571081/the-kaseya-ransomware-attack-a-timeline.html
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-183a
- https://www.varonis.com/blog/revil-msp-supply-chain-attack
Related vulnerabilities
All Supply chain →- CRITICALNPM-QIX-CHALK-DEBUG-2025
On 8 September 2025, the largest npm supply-chain attack ever by sheer reach hit foundational packages, chalk, debug, ansi-styles, strip-ansi, and 14 more, that together are downloaded over 2 billion times a week. The cause was a single phishing email. A respected maintainer was tricked by a fake "your npm 2FA is expiring" message into handing over his account, and the attackers published poisoned versions of his ultra-popular libraries. The payload was a crypto clipper: browser code that silently swapped any cryptocurrency address a user was sending to with the attacker's. Automated scanners flagged the poisoned versions within minutes and they were pulled within about two hours, and the actual theft came to roughly a thousand dollars, the one piece of good news in an attack that sat, briefly, under nearly the entire JavaScript ecosystem.
- HIGHSC-CCLEANER-2017
In September 2017, Cisco Talos revealed that CCleaner, a hugely popular Windows cleanup tool from Piriform (newly acquired by Avast), had been shipping a backdoor. Attackers had compromised Piriform's build environment and inserted malicious code into the official, validly code-signed installer, so version 5.33 distributed through Piriform's own channels carried the malware to about 2.27 million users for roughly a month before anyone noticed. The first stage merely profiled machines, but it was a sniper rather than a shotgun: from the millions of installs it served a second stage to only a few dozen selected computers at companies like Google, Microsoft, Cisco, Intel, and Samsung, and a still deeper espionage tool (the ShadowPad backdoor) was later found planted on Piriform's own internal machines. The attack is linked to the China-nexus group tracked as APT17 / Axiom. It is the lesson that a trusted update channel and a valid signature are not the same as trustworthy code, and that build pipelines are prime targets.
- CRITICALCVE-2026-46488
motionEye: Authentication possible via password hash
- MEDIUMCVE-2026-44584
Paymenter doesn't reset email verification status after email change
- CRITICALNPM-SHAI-HULUD-2-2025
Shai-Hulud is the nightmare the npm ecosystem had long feared: a self-replicating worm. First seen in September 2025 and back in a more aggressive wave around 21-24 November 2025 ("The Second Coming"), it does not just poison one package and wait. When its malware runs in a developer's environment, it harvests every secret it can find, npm tokens, GitHub tokens, cloud keys, then uses those stolen npm tokens to automatically publish itself into other packages the victim maintains, spreading from maintainer to maintainer on its own. The second wave hit more than 25,000 GitHub repositories across roughly 500 compromised accounts, leaked the stolen secrets into public repos, and, if it failed to steal credentials, tried to wipe the victim's home directory. It is the moment supply-chain malware learned to propagate like a biological infection.
- CRITICALGHSA-6m4g-vm7c-f8w6
Shai-Hulud, in September 2025, was the moment the npm ecosystem's worst fear came true: a worm that spreads by itself. It began with a wave of compromised packages, the most prominent being @ctrl/tinycolor (over two million weekly downloads), and from there it did something no npm attack had done before. When its malware ran on a developer's machine, it hunted for every credential it could find, then used the developer's own npm token to republish itself into all of their other packages automatically, with no attacker involvement, jumping from maintainer to maintainer like an infection. More than 500 packages were compromised, including some from CrowdStrike. It is the first true npm worm, and the template for the even more aggressive Shai-Hulud 2.0 that followed weeks later.