BR +55 11 3069 3925 | USA +1 469 620 7643

Understand the Cyberattack that Affected Kaseya

by | Sep 24, 2021 | BLOG

On July 2, a Russian group of hackers exploited a flaw in the Kaseya company’s management software, affecting its systems and causing problems for it and its customers.

The massive cyberattack affected around 1,500 businesses in 17 countries. The attackers promised to return access to the data in exchange for 70 million dollars, equivalent to 364 million reais.

Hackers promised to release a decryptor so that all files could be recovered in at least an hour after paying the ransom.

Known as “REvil”, the organization claimed responsibility for the virtual attack on Kaseya. It was also responsible for the invasion that halted production at JBS, the world’s largest meat processor, in June this year.

Domino Effect

Headquartered in Florida, United States, Kaseya is responsible for the remote monitoring and management program used by more than 40,000 companies. Of these, only 60 were directly affected by the cyberattack.

However, as many of Kaseya’s customers provide services for other businesses, the systems are interconnected in a network.

This connection resulted in a domino effect, as the installed malware quickly spread and encrypted the files it found along the way.

The supermarket chain Coop, in Sweden, had to suspend the operation of its stores because it was unable to use the cash register system, which was managed by one of Kaseya’s client companies.

How Did the Invasion Take Place?

The type of virus was ransomware that can encrypt computer files. Access is only granted upon payment of a ransom to the hacker, that is, it is like a data hijacking in the digital world.

In this type of cyberattack, ransomware infiltrates frequently used software and spreads as systems are updated.

Encryption is the practice of encoding data, causing it to no longer have the original format and, therefore, no longer be readable by its owners.

Files can only be decrypted and returned to their original format through the use of a specific decryption key. It is for this key that Russian hackers ask for the ransom, as without it the data becomes useless.


This can be considered the biggest cyber-attack with ransomware of all time, as it reached a proportion never seen before in similar cases.

Kaseya asked customers using its system administration platform, VSA, to immediately shut down their servers to try to prevent the possibility of their information being captured by the cyberattack.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Agency (CISA), among other US officials, assisted in the investigations.

US President Joe Biden has warned Russian leader Vladimir Putin to take action against hackers who have been operating in Russia for a long time.

On July 12th, Kaseya has reported that it had fully recovered the servers. These attacks are an increasingly profitable way to take hostages in the virtual universe.

How Does the Russian Group Operate?

REvil, also called Sodinokibi, is one of the best-known hacker gangs today. It operates with dozens of individuals in a “professional” regime with the division of tasks.

While one part of the group invades the systems, the other is responsible for constantly maintaining the ransomware, managing the group’s financials, and negotiating the rescue of the data with the victims.

Hackers drive the attack into double extortion mode, which occurs when Internet hackers take control of the network, extract important and sensitive data, and activate ransomware that encrypts victims’ data.

Then, they ask for a ransom in cash or bitcoins so that they return control of the data and do not disclose the information obtained illegally.

The group explored a series of “zero-days” in the product that allows it to bypass its authentication, arbitrarily upload files, and install pirated software.

With this, they can use a series of tactics and tools to move around the network and have access to all the files that are present.

A tool from Kaseya itself may have been used to take control of the system and activate the malicious software, as it has high-level access privileges on the machines, passing in an authorized way through antivirus.

The exact form used by the group is still unknown, however, the flaws of the American company’s protection to its systems became clear.


Are you enjoying this post? Join our Newsletter!

12 + 1 =

We will send newsletters and promotional emails. By entering my data, I agree to the Privacy Policy and the Terms of Use.

Achieving Sarbanes-Oxley (SOX) Compliance Using Cybersecurity Controls

The Sarbanes-Oxley Act (SOX) is primarily associated with business transparency and the use of accounting and financial controls to protect investors from fraudulent financial reporting. However, it is always important to remember the ever-increasing pivotal role...

Privileged Access Management (PAM): A Complete Guide

In 2021, there was a 50% increase in the number of attacks on corporate networks compared to the previous year. This is pointed out by Check Point Research (CPR), Check Point's Threat Intelligence division. And many of these attacks involve exploiting this type of...

What Is the Risk of Hardcoded Passwords For Your Business?

Today's organizations rely on numerous business applications, web services, and custom software solutions to meet business communications and other transaction requirements. Typically, multiple applications frequently require access to databases and other applications...

Greatest Cyberattacks On U.S. Companies In The Last 10 Years

Virtually every day we see news of data breaches, which affect organizations of all types and sizes. From startups to global companies, they are subject to cyber attacks aimed at stealing (or even destroying) data. After all, the question is not “if”, but “when” an...

Best Practices for Data Theft Prevention

It is important to emphasize that, with the digital transformation and the increase in the use of digital media identified in recent years, there has also been a spike in the practice of cybercrime, that is, those crimes that occur through virtual means. These crimes...
Copy link
Powered by Social Snap