Commentary: REvil Ransomware Strikes Again, Thousands of SMB's Potentially Infected

The Kaseya incident is the largest ransomware supply-chain attack to date. How can your organization best protect itself? 

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.

On Friday, July 2, 2021, before the American Fourth of July long weekend, affiliates of the REvil RaaS (Ransomware-as-a-Service) threat actors executed a supply-chain attack through Kaseya’s remote IT management software, specifically affecting its Virtual System Administrator (VSA).


Kaseya, a software platform designed to help manage IT services remotely, and its affiliated partner researchers, were aware of the exploit and were working on a patch when the REvil ransomware was launched. In a sprint between threat actors and security experts, the bad guys won out before a patch could be implemented.  


The attack affected hundreds and likely thousands of businesses globally with the REvil ransomware demanding USD 70 Million in Bitcoin to restore the encrypted data being held captive. 


The timing was not coincidental as major cyber attacks similar to this one are carefully coordinated to commence around major holidays with threat actors anticipating slower response times and a generally sparse IT staff during the attack.


Kaseya released a statement noting that they immediately disconnected their servers and have maintained communication with all of their 36,000+ clients about the incident. Their actions allowed them to contain their breach to less than 60 clients; however, of those that were affected, more than 30 were MSPs which in turn have thousands of their own clients who could be affected.


Who was affected?

The far-reaching impacts of the attack are still being pieced together as thousands of companies globally were targeted. Some larger retailers like Swedish Coop supermarkets needed to shut down hundreds of stores as their checkout cash register system was taken offline.


CISA and the FBI have released Guidance for MSPs and their customers affected by the Kaseya VSA Supply-Chain Ransomware Attack and encouraged all affected organizations to "follow Kaseya's guidance to shut down VSA servers immediately." Kaseya has also been posting regular updates as to their diligent resolution of this vicious attack.



The Kaseya ransomware attack further highlights the vulnerabilities and potentially catastrophic disruptions that all organizations can be susceptible to, with cyber threat actors growing bolder and more sophisticated at an immeasurable pace. With the increasing level of danger in the cyber world, it’s more important than ever to solidify your organization’s posture and preparedness against the rising cyber threat.


What can be done to protect your organization from future cyber threats?

The best time to create an Incident Response Plan to combat a cyber attack is before an attack occurs. To that end, Blackpanda recommends a regular Compromise Assessment that sweeps your internal network and endpoints to ensure it is free of threat actors, signs of compromise, and malware. To find out more about Blackpanda Compromise Assessments, reach out to us via our website or email us at

Interested in speaking to a DFIR specialist? 

Additional Resources