Kaseya VSA Zero-Day Supply Chain Ransomware Attack

  • 7 July 2021
  • 2 replies
Kaseya VSA Zero-Day Supply Chain Ransomware Attack
Userlevel 7
Badge +20
  • Sr. Security Analyst & Community Manager
  • 533 replies

Attackers carried out a supply chain ransomware attack by leveraging a zero-day vulnerability in Kaseya's VSA software on Friday July 2, 2021. A compromised Kaseya update reached VSA on-premises servers from where, using the system’s internal scripting engine, the ransomware was deployed to all connected client systems.

For official ongoing updates and instructions from Kaseya, visit https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689.

Webroot has been closely monitoring this situation since first encountering the associated malicious payloads at 16:46 GMT. After quickly determining these payloads to be malicious, all endpoints began detecting and blocking the supply chain attack in real time for our customers.


For Webroot Customers Running Kaseya  


Any Webroot customers running Kaseya would have been notified of a block of the following threats: 



MD5: A47CF00AEDF769D60D58BFE00C0B5421 





The following IP addresses were seen associated with the attack and are blocked by our BrightCloud®️  Threat Intelligence database: 

Please note that these IPs will likely be secured or reassigned in the near future and will be re-evaluated then

If you use Kaseya in your environment please shut down the VSA server immediately and follow the updates directly from Kaseya as they are providing instructions on when servers will be back online.  

Official Kaseya Update 


Other Links 




2 replies

Userlevel 7
Badge +63

Thanks Tyler!

Thank you so much