Kaseya's Virtual System Administrator (VSA) is a remote monitoring and management (RMM) platform widely used by managed service providers (MSPs) to manage client endpoints, deploy software, and automate patching across large fleets of machines. That combination of trusted access and broad reach made it an ideal pivot point. When an attacker controls the VSA server, they effectively control every endpoint that server manages — across every client.
REvil (also known as Sodinokibi) understood this. Rather than compromising individual organizations one at a time, they went after the management layer itself. The attack was not a traditional software supply chain compromise like SolarWinds, where build infrastructure was tampered with. Instead, REvil exploited authentication flaws in internet-facing VSA servers to gain access and use VSA's own native agent functionality to deliver ransomware payloads to downstream clients.
The Vulnerability: CVE-2021-30116
The primary CVE assigned to this attack — CVE-2021-30116 — covers a credential disclosure vulnerability in Kaseya VSA prior to version 9.5.7. However, the full attack surface was broader than a single CVE. Researchers at the Dutch Institute for Vulnerability Disclosure (DIVD) had actually discovered and responsibly disclosed multiple zero-day vulnerabilities in Kaseya VSA to the company months earlier, in March 2021. DIVD researcher Wietse Boonstra identified six zero-day flaws and coordinated disclosure with Kaseya, which was actively working on patches before the attack occurred.
REvil deployed the attack while Kaseya was still working on patches for three of the reported vulnerabilities. The timeline strongly suggests threat actors were aware that a patch was imminent and deliberately struck before remediation could be completed. Whether they obtained information about the vulnerabilities through independent discovery or other means has never been publicly confirmed.
The exploitation chain involved three primary vulnerability classes working in sequence. First, an authentication bypass in the VSA web interface allowed the attacker to obtain an authenticated session without valid credentials. Second, an arbitrary file upload vulnerability enabled the upload of the initial malicious payload. Third, a SQL injection flaw in userFilterTableRpt.asp was used to execute server-side commands. Kaseya's own incident disclosure confirmed that the attackers used these zero-day vulnerabilities to bypass authentication and achieve arbitrary command execution.
The IIS access logs of compromised VSA servers captured the characteristic HTTP request sequence used in the attack:
POST /dl.asp curl/7.69.1
GET /done.asp curl/7.69.1
POST /cgi-bin/KUpload.dll curl/7.69.1
GET /done.asp curl/7.69.1
POST /cgi-bin/KUpload.dll curl/7.69.1
POST /userFilterTableRpt.asp curl/7.69.1The use of curl/7.69.1 as the user agent, and the presence of this specific request sequence targeting userFilterTableRpt.asp, became reliable indicators of compromise for defenders reviewing server logs.
Payload Delivery and the DLL Sideloading Chain
Once the attacker had authenticated access to the VSA server, they leveraged VSA's own agent management capabilities to push out a procedure named "Kaseya VSA Agent Hot-fix" — designed to appear as a routine update. This procedure delivered a file called agent.crt to the default working path C:\kworking\ on managed endpoints. The .crt extension gave it the appearance of a certificate file.
Before the ransomware payload could execute, a PowerShell script ran first. This script performed several critical preparatory steps: it disabled Windows Defender's real-time monitoring, network monitoring, and folder protections; used the certutil.exe utility (renamed to cert.exe to reduce signature matching) to Base64-decode agent.crt into the executable agent.exe; and then executed the decoded payload.
# Defender disablement via PowerShell (simplified representation)
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableNetworkProtection $true
Set-MpPreference -DisableBehaviorMonitoring $true
Set-MpPreference -DisableIOAVProtection $true
# Decode the payload
certutil -decode agent.crt agent.exeWhen agent.exe executed, it dropped two files into C:\Windows\: a legitimate but outdated version of MsMpEng.exe (a Microsoft Antimalware Service executable signed in 2014), and a malicious DLL named mpsvc.dll. This is where the DLL sideloading technique came into play.
DLL sideloading abuses the way Windows resolves DLL dependencies. When a legitimate, signed executable is placed in the same directory as a malicious DLL with an expected name, Windows loads the malicious DLL instead of (or in addition to) the legitimate one. Because the host process is a trusted, signed binary, security tools that check process trust may not flag the execution. In this attack, the trusted host was an old but signed Microsoft binary — and the malicious DLL it loaded contained the full REvil ransomware.
When the old MsMpEng.exe ran, it loaded mpsvc.dll and called its exported function ServiceCrtMain(). That function unpacked and executed the REvil (Sodinokibi) ransomware directly in memory with elevated privileges. The ransomware then created the registry key HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BlackLivesMatter — a known REvil artifact used to store victim and attacker encryption key material and runtime configuration values.
REvil Configuration Behavior
The REvil variant deployed in the Kaseya attack used an RC4-encrypted embedded configuration. Several notable configuration values were set specifically for this campaign. The net parameter was set to false, instructing the ransomware not to beacon back to command-and-control domains after encryption — a deliberate evasion measure against network-based detection signatures. The arn (autorun) parameter was also disabled, suppressing registry persistence. Both choices reflected an attacker prioritizing speed and stealth over operational infrastructure.
The ransomware then enabled Windows network discovery to reach mapped drives:
netsh advfirewall firewall set rule group="Network Discovery" new enable=YesIt proceeded to enumerate local disks, removable drives, and network drives before beginning encryption. Files were encrypted across all accessible storage, with a predefined allowlist of extensions excluded to preserve system operability (system binaries, executables, DLLs, drivers, and similar files were skipped). Encrypted files received the REvil-specific extension appended to their filenames, and ransom notes were written to the desktop and C:\ drive.
Scale and Downstream Impact
The attack targeted on-premises VSA server deployments — specifically those with the VSA web interface exposed directly to the internet. Kaseya's SaaS-hosted VSA infrastructure was not directly exploited, though Kaseya proactively took its SaaS systems offline as a precaution.
The multiplication effect is what made this attack exceptional. A single compromised VSA server manages potentially hundreds or thousands of endpoints across multiple client organizations. Roughly 50 MSPs running internet-facing VSA servers were directly compromised. Because of the managed service structure — where client environments are all managed from a shared platform without tenant isolation — ransomware flowed downstream to between 800 and 1,500 client businesses. Victims had no visibility into or control over what was happening until files were already encrypted.
REvil publicly claimed to have encrypted over one million systems and demanded a $70 million ransom for a universal decryptor. While the actual confirmed downstream victim count was far lower than that claim, the attack still represented one of the widest-reach ransomware events since WannaCry in 2017. Kaseya did not pay a ransom. The company confirmed receiving a universal decryptor on July 23, 2021 from an unnamed trusted third party — later reporting indicated the decryptor was obtained with assistance from the FBI, which had been sitting on it for weeks while coordinating a law enforcement operation.
The timing was deliberate. Launching on the Friday afternoon before the Fourth of July holiday weekend in the United States maximized the window between attack detonation and when security teams and IT staff would return to work. This is a documented REvil operational pattern: striking when defender coverage is thin.
Kaseya's Response and the Patch Timeline
Within hours of the first reports, Kaseya's executive team made the decision to notify all on-premises customers to immediately shut down their VSA servers and simultaneously took down the SaaS infrastructure. On July 3, Kaseya released a Compromise Detection Tool that analyzed VSA servers and managed endpoints for indicators of compromise. Over 2,000 customers downloaded the tool within days of release.
Kaseya engaged Mandiant for incident response and cooperated with federal law enforcement throughout the investigation. The company confirmed that the VSA codebase itself had not been maliciously modified — this was not a software tampering attack but an exploitation of vulnerabilities in the deployed application to use its own legitimate functionality against clients.
On July 11, Kaseya restored its SaaS-based RMM service and released a patch (VSA 9.5.7) for on-premises deployments addressing the three unpatched zero-day vulnerabilities. The patch timeline — nine days from attack to patch availability — reflected the complexity of safely hardening the platform while the investigation was still active.
Attribution and Legal Aftermath
REvil (Ransomware Evil), also known as Sodinokibi, operated as a Ransomware-as-a-Service (RaaS) platform. The group provided ransomware infrastructure, affiliate management, and ransom negotiation services, with affiliates conducting actual intrusions in exchange for a cut of ransom proceeds. REvil had previously been attributed to connections with the GOLD SOUTHFIELD threat group and was believed to operate out of Russia.
Following a July 9, 2021 call between U.S. President Biden and Russian President Putin — during which Biden pressed for action against ransomware groups operating from Russian territory — REvil's leak sites and infrastructure went dark on July 13. The group effectively disappeared from the internet, though affiliates later attempted to reconstitute operations under the same name.
Law enforcement moved methodically. On October 8, 2021, Ukrainian national Yaroslav Vasinskyi (alias "Rabotnik") was arrested in Poland. In November 2021, the U.S. Department of Justice unsealed indictments against Vasinskyi and Russian national Yevgeniy Polyanin. The U.S. also seized over $6.1 million in ransomware proceeds traceable to Polyanin.
Vasinskyi was extradited to the United States in March 2022 and arraigned in Texas. On May 1, 2024, he was sentenced to 13 years and 7 months in federal prison and ordered to pay over $16 million in restitution — covering his role not just in the Kaseya attack but in over 2,500 ransomware attacks collectively demanding more than $700 million in ransom payments.
Yaroslav Vasinskyi and his co-conspirators hacked into thousands of computers around the world and encrypted them with ransomware. Then they demanded over $700 million in ransom payments and threatened to publicly disclose victims' data if they refused to pay. — Nicole M. Argentieri, Head of the DOJ Criminal Division, May 2024
Key Takeaways for Defenders
- RMM platforms are high-value targets: Any software that has trusted, broad access to endpoint fleets will attract attacker attention. Internet-facing RMM interfaces should be treated as critical attack surface and restricted accordingly — placed behind VPNs or firewalls, never exposed directly to the public internet without compensating controls.
- Patch coordination under responsible disclosure can fail under time pressure: DIVD notified Kaseya months before the attack. The vulnerabilities were known to the vendor. The attack succeeded because patching wasn't complete before REvil exploited the window. Responsible disclosure timelines and vendor patch urgency both matter.
- DLL sideloading via trusted binaries bypasses many AV solutions: The REvil delivery chain specifically used a legitimately signed Microsoft binary as the execution vehicle to load malicious code. Security tools that rely on process trust or signature verification alone will miss this technique. Behavioral detection and allowlisting of DLL load paths are more effective controls.
- Holiday timing is an operational weapon: Launching on the eve of a major holiday was not coincidental. Defenders and incident response teams should have on-call coverage and monitoring continuity regardless of the calendar.
- Downstream MSP clients have limited visibility and control: Organizations relying on MSPs for IT management often have no direct visibility into the tools used to manage their environment. Understanding which RMM platforms your MSP uses, whether those servers are internet-facing, and what their patch posture is are legitimate questions for any managed services contract review.
- Law enforcement attribution and prosecution is possible: The Kaseya case resulted in a federal conviction and a 13-year sentence. International cooperation between the U.S., Poland, Ukraine, and other partners made extradition and prosecution viable. This does not deter all actors but demonstrates that anonymity in ransomware operations is not guaranteed.
The Kaseya VSA attack changed how security teams think about MSP supply chains as an attack vector. Prior to July 2021, the dominant supply chain concern was software build pipeline compromise — the SolarWinds model. Kaseya demonstrated that exploiting the management layer itself, without touching source code, could achieve comparable or greater downstream scale. The MSP security posture conversation has matured considerably since then, but the fundamental risk — that a single trusted platform provides keys to hundreds of networks — has not gone away.