REvil Ransomware gang behind the Kaseya VSA Supply-Chain attack

Threat Level – Red | Vulnerability Report
Download PDF

For a detailed advisory, download the pdf file here.

The REvil ransomware group was successful in carrying out a supply chain attack by exploiting the zero-day vulnerability (CVE-2021-30116) in the Kaseya VSA server and delivering a malicious script to all the computer devices managed by servers. The script delivered the REvil ransomware and encrypted the files of the clients managed by the server affecting almost 1 million computer devices.

Hive Pro researchers have identified that there are three more zero-day vulnerabilities that were possibly used to target the clients:

Authentication Bypass VulnerabilityArbitrary File Upload VulnerabilityCode Injection Vulnerability

The Techniques used by the REvil ransomware includes:

TA0001: Initial AccessT1189: Drive-by CompromiseT1566: PhishingT1566.001: Spear phishing AttachmentTA0002: ExecutionT1059: Command and Scripting InterpreterT1106: Native APIT1059.001: PowerShellT1059.005: Visual BasicT1059.003: Windows Command ShellTA0003: PersistenceT1204: User ExecutionT1047: Windows Management InstrumentationT1204.002: Malicious FileTA0004: Privilege EscalationT1134: Access Token ManipulationT1134.002: Create Process with TokenT1134.001: Token Impersonation/TheftT1574:Hijack Execution FlowT1574.002:Hijack Execution Flow: DLL Side-LoadingTA0005: Defense EvasionT1134: Access Token ManipulationT1134.002: Create Process with TokenT1134.001: Token Impersonation/TheftT1140: DE obfuscate/Decode Files or InformationT1055: Process InjectionTA0006: Credential AccessT1562: Impair DefensesT1562.001: Disable or Modify ToolsT1070: Indicator Removal on HostT1070.004: File DeletionT1036: MasqueradingT1036.005: Match Legitimate Name or LocationT1112: Modify RegistryT1027: Obfuscated Files or InformationT1055: Process InjectionTA0007: DiscoveryT1083: File and Directory DiscoveryTA0008: Lateral MovementT1069: Permission Groups DiscoveryT1069.002: Domain GroupsT1012: Query RegistryT1082: System Information DiscoveryTA0011: Command and ControlT1071: Application Layer ProtocolT1071.001: Web Protocols  T1573: Encrypted Channel T1573.002: Asymmetric CryptographyT1105: Ingress Tool TransferTA0010: ExfiltrationT1041: Exfiltration Over C2 ChannelTA0040: ImpactT1485: Data DestructionT1486: Data Encrypted for ImpactT1490: Inhibit System Recovery   T1489: Service Stop

Threat Actor

Vulnerability Details

Indicators of Compromise



What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox