TTPs Used by REvil (Sodinokibi) Ransomware Gang in Kaseya MSP Supply-Chain Attack

Worried Businessman Looking At Laptop With Ransomware Word On Th

Kaseya MSP Supply-Chain Attack

Picus Labs has updated the Picus Threat Library with REvil (Sodinokibi) ransomware samples that are used in a massive cyberattack that targets multiple Managed Service Providers (MSPs) and thousands of their customers. As with all recent large-scale cyberattacks, this attack is also a supply chain attack. REvil ransomware gang targeted MSPs and their customers through Kaseya VSA cloud-based MSP platform enabling service providers to perform patch management and client monitoring.

Attack Simulation

You can test your security controls against this vulnerability using the Picus Security Control Validation Platform. Picus Threat Library includes the following threats for Revil (Sodinokibi) ransomware samples used in the Kaseya MSP supply-chain attack. In addition to these new samples, Picus Threat Library includes 19 Revil (Sodinokibi) ransomware variants used in previous attack campaigns. As of July 4, 2021, Picus includes 1176 ransomware threat samples for 179 malware families, including DarkRadiation, Darkside, Clop, Crysis, RagnarLocker, WastedLocker, NetWalker, and RYUK.


Kaseya’s Recommendations

Kaseya issued a new update, advising on-premise Kaseya partners to keep their VSA servers offline until further instructions on when it is safe to resume operations. Kaseya also stated that SaaS and Hosted VSA Servers will be operational once they have determined that they can safely restore operations.

Read more about Attack Life-Cycle and Tactics, Techniques and Procedures (TTPs)/ Employed MITRE ATT&CK Tactics and Techniques/ Indicators of Compromise (IOCs) here.

Picus 01


PAMA – Official distributor of Picus in Vietnam


Translator: Nguyễn Thùy Trang

Leave a Reply

Your email address will not be published. Required fields are marked *