REvil demands $70 million ransom after Kaseya supply chain attack
The cyber gang claims it’s infected “more than a million systems” after exploiting a zero-day flaw in VSA
REvil has infected more than 40 customers of IT management software firm Kaseya in a SolarWinds-style supply chain attack in which ransomware was distributed through a malicious update.
Kaseya revealed this weekend that its cloud-based IT management and remote monitoring product VSA had been compromised, but that the attack affected a small number of its on-premises customers only. The number of victims is estimated to be roughly 40, according to the firm.
The cyber gang exploited a zero-day vulnerability to remotely access internet-facing VSA servers. Given this software is used by many Managed Service Providers (MSPs), this route of entry also gave them a route into these MSP’s customers. Kaseya was targeted because a key functionality of VSA is to push software and automated IT tasks on request, without checks.
The hackers responsible are now issuing varying ransom demands to its victims. REvil is demanding $44,999 from victims if their endpoint has been hit, according to Sophos security researcher Mark Loman. The group, meanwhile, is demanding a sum of $70 million to publish the universal decryptor, while boasting that it’s infected a million devices.
Looking beyond the 40 victims that Kaseya suggests REvil has claimed, Huntress Labs claims that more than 1,000 businesses have had servers and workstations encrypted, including MSPs.
The response to the attack has been stark, with businesses served by the VSA product cutting off their servers from access to the internet. According to Dutch security firm DIVD CSIRT, the number of reachable VSA instances dropped from the norm of 2,200 to less than 140 as of Sunday.
The company confirmed that a DIVD researcher, Wietse Boonstra, had previously identified a zero-day flaw, tracked as CVE-2021-30116, which is now being used in the ransomware attack. This flaw was discovered as part of a wider research project in which the firm is examining flaws in tools for system administrators in products such as Vembu BDR, Pulse VPN and Fortinet VPN.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
“After this crisis, there will be the question of who is to blame,” the company said in a blog post. “From our side, we would like to mention Kaseya has been very cooperative. Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them.
RELATED RESOURCE
“When items in our report were unclear, they asked the right questions. Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”
Kaseya executives are meeting again today to discuss bringing its data centres online, with a scheduled restoration date and time of 5 July “by the end of the day” local time (UTC). That timeframe is dependent on achieving some key objectives, however.
Once the software as a service (SaaS) data centres have been restored, Kaseya will publish the schedule for distributing its patch for on-premise customers.

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.
-
Amazon OpenSearch update targets performance boosts and lower costsNews Surging data volumes have prompted an overhaul of Amazon’s OpenSearch service
-
Cyber experts say they've identified the first case of ‘agentic ransomware’News While the JadePuffer ransomware has alarm bells ringing, it still needed a human in the loop
-
Hackers are posing as Interpol to target small businesses – here's what you need to knowNews Small businesses are warned to think twice before clicking on links
-
‘Every hour ransomware goes undetected drastically increases its potential blast radius’: Hackers are breaching networks and laying low for longer – and nearly half of firms don’t realize until data is stolenNews An ExtraHop survey found more intrusions are going undetected, leading to longer dwell times
-
Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chiefNews Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook
-
New ransomware threat group, The Gentlemen, has become one of the most active ransomware operators, accounting for 10% of all attacksNews NTT researchers warn that the RaaS group is leveraging SystemBC malware to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments
-
Instructure chose to a pay ransom following the Canvas cyber attack – research shows more than half of security leaders would follow suitAnalysis Opting to pay ransoms creates huge risks for enterprises – you’re relying on the word of criminals
-
Ransomware negotiator sentenced for role in major cyber crime groupNews Deniss Zolotarjovs was a key player in a group associated with Conti
-
Threat actors ditch ‘spray and pray’ attacks in shift to targeted exploitationNews A dip in ransomware volumes points to a more targeted approach focused on vulnerability exploitation
-
Security leaders overconfident about ransomware recoveryNews Few manage to recover all their data, and many experience business disruption