Compromiseseverity: Critical2021-07-02

REvil Kaseya VSA supply-chain ransomware compromise

published by CISA

Actor

REvilRU · RussiaRansomware

Russian ransomware-as-a-service operation derived from GandCrab in April 2019. Conducted the 2021 Kaseya VSA supply-chain compromise (~1,500 downstream victims via 60 MSPs), the JBS Foods $11M ransom…

Summary

REvil affiliates exploited a zero-day authentication bypass in Kaseya's VSA RMM platform (CVE-2021-30116) and pushed a malicious update to ~60 managed service providers, encrypting an estimated 1,500 downstream customer networks in a single weekend. REvil initially demanded a $70M lump-sum decryptor; Kaseya later obtained a universal decryptor key from an undisclosed source. The operation triggered the U.S. pressure that led to REvil's mid-July 2021 disappearance and to the FSB's January 2022 arrest of 14 alleged members.

Primary source

cisa.gov

Other REvil events

2022-01-14Russia's FSB announces arrest of 14 REvil members at U.S. request

Summary

Tags

Primary source

Other REvil events