REvil's Kaseya Attack Is the Supply-Chain Ransomware Nightmare We Kept Warning About
REvil exploited a zero-day in Kaseya VSA to hit ~60 MSPs and over 1,000 downstream businesses, demanding $70M for a decryptor.
If you work in IT and your Friday just got ruined, you’re not alone. The REvil ransomware gang found an authentication-bypass zero-day in Kaseya’s VSA remote-monitoring software and used it to push ransomware through managed service providers straight into their clients’ networks. Early estimates put roughly 60 MSPs compromised, cascading down to more than 1,000 businesses across at least 17 countries. That’s the whole point of this style of attack, and it’s exactly why security people have been dreading it.
Kaseya VSA is the kind of tool most end users have never heard of. MSPs use it to remotely manage and patch their clients’ machines at scale — which means it has deep, trusted access into potentially thousands of downstream networks at once. Compromise the tool itself, and you don’t need to breach each target individually. You just ride in on the access the MSP already has. It’s the same logic that made SolarWinds so devastating last December, except this time the payload isn’t quiet espionage — it’s ransomware, loud and disruptive by design.
REvil is asking for around $70 million in Bitcoin for what it’s calling a universal decryptor that would unlock every affected victim at once. Kaseya says it hasn’t paid, and as of this writing there’s no indication that’s about to change. Whether that holds depends a lot on how desperate the downstream victims get, and how long they can tolerate being locked out of their own systems.
The clearest real-world casualty so far is Coop, the Swedish supermarket chain, which had to shut down nearly 800 stores because a point-of-sale system tied to an affected MSP went dark. Grocery stores closing their doors because of a vulnerability in remote-management software three steps removed from their checkout lanes is about as vivid a demonstration of supply-chain risk as you’re going to get. It’s not abstract “cyber” news anymore when the shelves are locked and the registers won’t ring anything up.
What makes this one sting is the timing and the target. Attacking on the Friday before a US holiday weekend is a well-worn ransomware tactic — security teams are thin, response is slower, and attackers buy themselves extra hours before anyone notices. And going after an RMM platform specifically shows REvil (or whoever’s actually behind the tooling this time) understands the MSP business model better than most of the MSPs’ own clients do.
Kaseya has told customers to shut down their on-premises VSA servers immediately, and its SaaS instances were reportedly taken offline as a precaution while the company investigates. That’s the right instinct, but it also means a lot of legitimate remote administration is grinding to a halt right along with the malicious kind, which is its own kind of costly.
Zero-days happen. What’s harder to excuse is how much blast radius a single vendor vulnerability can now carry when that vendor sits at the center of thousands of trust relationships. If there’s a lesson MSPs and their software vendors need to take from this weekend, it’s that the tools built to manage everything at scale are also, by definition, the single most attractive target in the whole chain. Expect a lot of very uncomfortable vendor-risk conversations starting Monday.