Kaseya VSA Supply-Chain Ransomware Attack Triggers Global Incident Response
On July 2, 2021 REvil affiliates compromised Kaseya VSA remote monitoring software, weaponizing an automatic update to deploy ransomware across downstream managed service providers and their customers, prompting joint CISA/FBI incident guidance.
Executive briefing: Threat actors associated with REvil exploited vulnerabilities in Kaseya VSA on-premises appliances beginning . By abusing the software’s update mechanism, attackers pushed a malicious payload that disabled Microsoft Defender and executed ransomware across managed service providers (MSPs) and downstream clients worldwide.
Attack chain
- Authentication bypass. Chained flaws (including CVE-2021-30116) allowed unauthenticated upload of arbitrary files to VSA servers.
- Malicious update. The payload distributed via VSA’s agent hot-fix disabled defenses, executed encryptors, and demanded $70 million for a universal decryptor.
- Supply-chain impact. Hundreds of MSPs and thousands of end customers experienced service disruption, highlighting RMM tooling as high-value targets.
Mitigation guidance
- Follow CISA/FBI Alert AA21-194A to isolate on-premises VSA servers, apply temporary shutdown scripts, and deploy Kaseya’s compromise detection tool.
- Accelerate patching to the fixed 9.5.7 builds released July 11, 2021 before reconnecting VSA servers to the internet.
- Review MSP customer segmentation, credential hygiene, and incident communication plans to limit blast radius from remote management platforms.