Threat Advisories:
🎧 Hive Force Labs: Critical Threats Affecting You This Week - 5 Minute Audio Intelligence Report
👥 Play Count: Loading...

REvil Ransomware gang behind the Kaseya VSA Supply-Chain attack

Threat Level – Red | Vulnerability Report
Download PDF

For a detailed advisory, download the pdf file here.

The REvil ransomware group was successful in carrying out a supply chain attack by exploiting the zero-day vulnerability (CVE-2021-30116) in the Kaseya VSA server and delivering a malicious script to all the computer devices managed by servers. The script delivered the REvil ransomware and encrypted the files of the clients managed by the server affecting almost 1 million computer devices.

Hive Pro researchers have identified that there are three more zero-day vulnerabilities that were possibly used to target the clients:

Authentication Bypass VulnerabilityArbitrary File Upload VulnerabilityCode Injection Vulnerability

The Techniques used by the REvil ransomware includes:

TA0001: Initial AccessT1189: Drive-by CompromiseT1566: PhishingT1566.001: Spear phishing AttachmentTA0002: ExecutionT1059: Command and Scripting InterpreterT1106: Native APIT1059.001: PowerShellT1059.005: Visual BasicT1059.003: Windows Command ShellTA0003: PersistenceT1204: User ExecutionT1047: Windows Management InstrumentationT1204.002: Malicious FileTA0004: Privilege EscalationT1134: Access Token ManipulationT1134.002: Create Process with TokenT1134.001: Token Impersonation/TheftT1574:Hijack Execution FlowT1574.002:Hijack Execution Flow: DLL Side-LoadingTA0005: Defense EvasionT1134: Access Token ManipulationT1134.002: Create Process with TokenT1134.001: Token Impersonation/TheftT1140: DE obfuscate/Decode Files or InformationT1055: Process InjectionTA0006: Credential AccessT1562: Impair DefensesT1562.001: Disable or Modify ToolsT1070: Indicator Removal on HostT1070.004: File DeletionT1036: MasqueradingT1036.005: Match Legitimate Name or LocationT1112: Modify RegistryT1027: Obfuscated Files or InformationT1055: Process InjectionTA0007: DiscoveryT1083: File and Directory DiscoveryTA0008: Lateral MovementT1069: Permission Groups DiscoveryT1069.002: Domain GroupsT1012: Query RegistryT1082: System Information DiscoveryTA0011: Command and ControlT1071: Application Layer ProtocolT1071.001: Web Protocols  T1573: Encrypted Channel T1573.002: Asymmetric CryptographyT1105: Ingress Tool TransferTA0010: ExfiltrationT1041: Exfiltration Over C2 ChannelTA0040: ImpactT1485: Data DestructionT1486: Data Encrypted for ImpactT1490: Inhibit System Recovery   T1489: Service Stop

Threat Actor

Vulnerability Details

Indicators of Compromise

TypeValue
IPv4161[.]35.239.148
Hash(SHA1)d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
45AEBD60E3C4ED8D3285907F5BF6C71B3B60A9BCB7C34E246C20410CF678FC0C

References

https://www.bleepingcomputer.com/news/security/kaseya-was-fixing-zero-day-just-as-revil-ransomware-sprung-their-attack/

https://otx.alienvault.com/pulse/60e40b4535299fb6755143cf

https://us-cert.cisa.gov/ncas/current-activity/2021/07/02/kaseya-vsa-supply-chain-ransomware-attack

https://www.tenable.com/blog/cve-2021-30116-multiple-zero-day-vulnerabilities-in-kaseya-vsa-exploited-to-distribute-ransomware

https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/

https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox

Cybersecurity Leaders Dinner at Houston

CTEM for CISOs in 2025, brought to life by Al Lindseth.

Tuesday, October 7th, 2025
6.00 pm to 9.00 pm
Del FRISCOS Double Eagle Steakhouse, Houston TX