.png)
Kaseya VSA Ransomware 2021: 1,500 Businesses Hit Through One MSP Tool
Breach Summary
The Kaseya VSA ransomware attack of July 4, 2021 was the most impactful ransomware supply chain attack in history — exploiting a zero-day vulnerability in Kaseya's remote monitoring and management software to push REvil ransomware to approximately 1,500 businesses through their managed service providers, on the Independence Day holiday weekend when IT staff coverage was minimal.
What Happened
On July 2, 2021, REvil operators exploited the Kaseya VSA zero-day to push ransomware through approximately 60 Kaseya MSP customers to their downstream clients. Kaseya shut down its VSA SaaS platform and issued emergency guidance to on-premises VSA customers to take their servers offline. The attack affected businesses across 17 countries including grocery chain Coop Sweden, which was forced to close 800 stores because its POS systems were managed through a Kaseya-using MSP. REvil demanded $70 million for a universal decryptor or individual ransoms ranging from $45,000 to $5 million per victim. The US government obtained a decryptor key and distributed it through Kaseya to victims in July 2021, without payment.
Attack Vector Detail
The attackers exploited CVE-2021-30116, a zero-day authentication bypass and arbitrary code execution vulnerability in Kaseya VSA — the remote monitoring and management platform used by MSPs to manage customer endpoints. By exploiting the authentication bypass, attackers could send malicious commands to VSA servers that would then be distributed as legitimate management tasks to all endpoints managed through that VSA instance.
The attack was executed on July 2, 2021 — the Friday before the July 4 holiday weekend — to maximize the window before IT staff would notice. Kaseya had been working with DIVD (Dutch Institute for Vulnerability Disclosure) researchers who had discovered the vulnerability and was days away from releasing a patch. The attackers struck before the patch was released.
Breach Pattern Timeline
Pre-July 2021
REvil/Sodinokibi ransomware group identifies CVE-2021-30116, a zero-day authentication bypass in Kaseya VSA — a remote monitoring and management (RMM) tool used by managed service providers (MSPs) to administer thousands of downstream customer environments.
July 2, 2021 (Friday before July 4 weekend)
REvil deploys mass exploitation of the Kaseya VSA zero-day, pushing ransomware downstream through ~50-60 MSPs to ~1,500 small-to-mid-sized businesses worldwide. Timed for Independence Day weekend.
July 3, 2021
Kaseya pulls VSA SaaS offline and instructs on-premises customers to shut down VSA servers. CISA issues guidance. Coop, Sweden's largest grocery chain, is the most-publicized victim — 800 stores closed for several days.
July 5, 2021
REvil demands $70 million for universal decryptor — extraordinary ransom amount reflecting scope of victims. Most individual organizations face $45,000-$5M demands.
July 11-13, 2021
Kaseya publishes patch and resumes VSA operations. President Biden raises ransomware with President Putin in summit; threatens response.
July 13, 2021
REvil's dark web infrastructure goes offline. Group disappears from public communications — likely combination of internal decision and law enforcement pressure.
July 22, 2021
Kaseya obtains universal decryptor from a 'trusted third party' (later reported as FBI-obtained). Kaseya states no ransom was paid.
November 2021
U.S. DOJ unseals indictment against Yaroslav Vasinskyi (Ukrainian) and Yevgeniy Polyanin (Russian) for the Kaseya attack. Vasinskyi later extradited to U.S. May 2023, pleaded guilty 2024.
2022-2024
Kaseya becomes definitive case study for managed service provider supply chain risk. Industry-wide review of MSP/RMM security controls. CISA publishes MSP/MSSP attack-resistance framework.
Total impact: ~1,500 small-to-mid businesses worldwide affected via ~50-60 MSPs, $70M universal ransom demand (unprecedented), foundational precedent for MSP supply chain risk and law enforcement-supplied decryptor as alternative to ransom payment.
Executive Lessons
Kaseya established that MSP software — tools used by managed service providers to administer thousands of client environments simultaneously — represents a force-multiplier target for ransomware groups. Compromising a single MSP tool can provide simultaneous access to every client the MSP serves. For organizations using managed service providers, the Kaseya case reinforces the need to evaluate MSP vendor security as a direct extension of your own security posture.
Related Reading
Private Equity Implications
The Kaseya attack is essential context for PE portfolio companies that rely on MSPs for IT management. An MSP that manages portfolio company infrastructure through an RMM platform has privileged access equivalent to domain administrator across every system it manages. The security posture of the MSP's own systems — including the RMM platform versions deployed — directly affects the portfolio company's risk exposure. MSP security assessments and contractual security requirements are a standard component of Cloudskope's portfolio company security program development.