REvil and the Kaseya Weekend
A ransomware crew chose the Friday before the Fourth of July to push their payload through a network-management tool used by thousands of IT shops.
On July 2, 2021, the Friday before the long American Independence Day weekend, a Russian-speaking ransomware group called REvil pushed a malicious update through Kaseya VSA. VSA was a remote-management tool used by managed service providers — the IT outsourcers who run the help desks and patching infrastructure for tens of thousands of small businesses.
Cascade by design
Because VSA was used by MSPs to administer their own customers, the malicious update propagated downstream through the MSP relationship. A single compromised VSA server could push ransomware to every customer environment it managed. The final tally landed at roughly fifteen hundred end-customer organizations across dozens of countries — Swedish grocery chains, New Zealand schools, US dental practices — many of whom had no idea they relied on Kaseya at all.
A ransom note priced for headlines
REvil initially demanded seventy million dollars in Bitcoin for a universal decryption key, an ambition unprecedented in scale. Within weeks, the group's infrastructure went offline under what appeared to be combined pressure from US diplomacy and Russian law enforcement. A universal decryptor was eventually made available, and Kaseya never publicly confirmed paying for it.
What the chronicle remembers
Kaseya was the moment the MSP layer of the internet became visible as a strategic chokepoint. Small businesses do not run their own security operations. They outsource them. Compromising the outsourcer is dramatically more efficient than compromising any one customer, and Kaseya was the case study that put that calculation in front of every CISO who outsourced anything.