Skip to content
Back to all chronicles
Ransomware#ransomware#supply-chain#msp

Kaseya: The Holiday Weekend REvil Locked 1,500 Firms

REvil exploited Kaseya VSA over the July 4th weekend, cascading ransomware through managed service providers to roughly 1,500 downstream businesses.

Cyber Chronicle2 min read

On July 2, 2021, the Friday before the long American Independence Day weekend, a Russian-speaking ransomware group called REvil pushed a malicious update through Kaseya VSA. VSA was a remote-management tool used by managed service providers — the IT outsourcers who run the help desks and patching infrastructure for tens of thousands of small businesses.

Cascade by design

Because VSA was used by MSPs to administer their own customers, the malicious update propagated downstream through the MSP relationship. A single compromised VSA server could push ransomware to every customer environment it managed. The final tally landed at roughly fifteen hundred end-customer organizations across dozens of countries — Swedish grocery chains, New Zealand schools, US dental practices — many of whom had no idea they relied on Kaseya at all.

A ransom note priced for headlines

REvil initially demanded seventy million dollars in Bitcoin for a universal decryption key, an ambition unprecedented in scale. Within weeks, the group's infrastructure went offline under what appeared to be combined pressure from US diplomacy and Russian law enforcement. A universal decryptor was eventually made available, and Kaseya never publicly confirmed paying for it.

What the chronicle remembers

Kaseya was the moment the MSP layer of the internet became visible as a strategic chokepoint. Small businesses do not run their own security operations. They outsource them. Compromising the outsourcer is dramatically more efficient than compromising any one customer, and Kaseya was the case study that put that calculation in front of every CISO who outsourced anything.

Related chronicles