Under Attack? Breach Response Hotline: Call 833.997.7327 (US/CAN)

Kaseya VSA Users

SpearTip | July 2nd, 2021


SpearTip’s engineers have become aware of an urgent ransomware attack in progress affecting Kaseya VSA users. The only way to prevent breaches is to block Kaseya VSA whether you’re using the cloud or utilizing the solution internally. Kaseya is currently pushing a hotfix for this issue. Kaseya provides IT management software to MSPs.

Ransomware Attack Affecting Kaseya VSA Users

According to security researchers, a ransomware encryptor is being dropped to:

The VSA fix is being named “Kaseya VSA Agent Hot-fix” and at least two tasks are running:





A digital copy of the encryptor is being digitally signed with a valid signature with this information:

When the executable runs, these files are being dropped into the hardcoded path c:\Windows:

  • MsMpEng[.]exe – Named to impersonate the Windows Defender executable and hide the encryption process. (This executable usually runs in Program Files)

  • mpsvc.dll









Confirmed IoCs:

  • SHA15162F14D75E96EDB914D1756349D6E11583DB0B0
  • d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
  • 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
  • e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
  • MsMpEng Hash: sha256,33BC14D231A4AFAA18F06513766D5F69D8B88F1E697CD127D24FB4B72AD44C7A
  • Mpsvc.dll Hash: sha256,8DD620D9AEB35960BB766458C8890EDE987C33D239CF730F93FE49D90AE759DD


Other files involved:


Additional information added 4:25 CT, Fri, Jul 2:

VSA user admin accounts are being disabled just moments before ransomware is being deployed. VSA security notifications indicated the “KEleveted######” account, which is an SQL user, performed this action. Evidence likely points to execution via SQL commands.

Digital Signature used by ransomware operators:

Issuer Sectigo RSA Code Signing CA
Thumbprint 11FF68DA43F0931E22002F1461136C662E623366
Serial Number 11 9A CE AD 66 8B AD 57 A4 8B 4F 42 F2 94 F8 F0 

To enable preventing communications via the firewall, use Kaseya’s Cloud Addresses and Ports listing.

Based on forensic investigations of the intrusion, there are strong connections to the REvil ransomware group or affiliates. REvil has targeted at least 6 large MSPs through the supply-chain attack on Kaseya’s VSA servers.

If your organization is utilizing this service and needs assistance in preventing this ransomware from spreading, call our 24/7 Security Operations Center at 833.997.7327.

Kaseya released this statement in regards to the VSA service, “We are experiencing a potential attack against the VSA that has been limited to a small
number of on-premise customers only as of 2:00 PM EDT today. We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shut down your VSA server until you receive further notice from us. It’s critical that you do this immediately because one of the first things the attacker does is shut off administrative access to the VSA.”

*More information will be added to this article as our engineers investigate*


Connect With Us

Featured Articles

Cybersecurity Compliance
Navigating the World of Cybersecurity Compliance
04 December 2023
IT Workers
Extra Advice on the IT Workers in North Korea
29 November 2023
Ransomware Attacks
The 10 Most Impactful Ransomware Attacks in History
27 November 2023
Cloud Backups
Security Strategy: Cloud Backups for Ransomware Protection
25 November 2023

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.