On 2 July 2021, a number of managed service providers (MSPs) and their customers became victims of a ransomware attack perpetrated by the REvil group,[1] causing widespread downtime for over 1,000 companies.[2][3] The attack was carried out by exploiting a vulnerability in VSA (Virtual System Administrator), a remote monitoring and management software package developed by Kaseya.[4]
Researchers of the Dutch Institute for Vulnerability Disclosure identified the first vulnerabilities in the software on April 1. They warned Kaseya and worked together with company experts to solve four of the seven reported vulnerabilities. Despite the efforts, Kaseya could not patch all the bugs in time.[5]
The source of the outbreak was identified within hours to be Kaseya's VSA software package.[1] An authentication bypass vulnerability in the software allowed attackers to compromise VSA and distribute a malicious payload through hosts managed by the software,[6] amplifying the reach of the attack.[7] In response, the company shut down its VSA cloud and SaaS servers and issued a security advisory to any customers, including those with on-premises deployments of VSA.[8]
Initial reports of companies affected by the incident include Norwegian financial software developer Visma, who manages some systems for Swedish supermarket chain Coop.[9] The supermarket chain had to close down its 800 stores for almost a week, some in small villages without any other food shop. They did not pay ransom, but rebuilt their systems from scratch after waiting for an update from Kaseya.[10]
The REvil ransomware gang officially took credit for the attack and claimed to have encrypted more than one million systems during the incident. They initially asked for a $70 million ransom payment to release a universal decryptor to unlock all affected systems.[11] On July 5, Kaseya said that between 800 and 1,500 downstream businesses were impacted in the attack.[12]
Marcus Hutchins criticized the assessment that the impact of the Kaseya attack was larger than WannaCry, citing difficulties in measuring the exact impact.[13]
After a 9 July 2021 phone call between United States president Joe Biden and Russian president Vladimir Putin, Biden told the press, "I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is." Biden later added that the United States would take the group's servers down if Putin did not.[14][15]
On 13 July 2021, REvil websites and other infrastructure vanished from the internet.[16]
On 23 July 2021, Kaseya announced it had received a universal decryptor tool for the REvil-encrypted files from an unnamed "trusted third party" and was helping victims restore their files.[17]
On 8 November 2021, the United States Department of Justice unsealed indictments against Ukrainian national Yaroslav Vasinskyi and Russian national Yevgeniy Polyanin. Vasinskyi was charged with conducting ransomware attacks against multiple victims including Kaseya, and was arrested in Poland on 8 October. Polyanin was charged with conducting ransomware attacks against multiple victims including Texas businesses and government entities. The Department worked with the National Police of Ukraine for the charges, and also announced the seizure of $6.1 million tied to ransomware payments. If convicted on all charges, Vasinskyi faces a maximum penalty of 115 years in prison, and Polyanin 145 years in prison.[18]