Connect with random people instantly. Find them in the world’s largest group chat. The “Omegle” for people who don’t want to get creepy messages from old people and weird strangers! Free private chat forever, and meet people along the way. Zonish is also great for you to contact your friends anonymously. is also the best way to contact your friends anonymously, without your parents finding out! Our site is pretty much a way for you to launder your chats. Statistically, the chance of someone finding your chat is impossible, unless they are with you in real life, looking at your computer or device. We hope to make the internet a safer and more secure place for everyone to chat on, without the risks of being spied on, by anyone untrustworthy. Talking to strangers online can be sketchy, so if you are ever talking to someone you don’t feel comfortable with, please just leave the chat. If you are reading this, please let us know if you have any ideas, questions, or concerns for our website here: [email protected] Thanks for reading and enjoy chatting!

REvil’s Grand Coup | Abusing Kaseya Managed Services Software for Massive Profits

Executive Summary

  • A suspected zero-day exploit was used to deliver REvil’s Sodinokibi ransomware to thousands of corporate endpoints.
  • Attackers targeted Kaseya VSA servers commonly used by Managed Security Service Providers and IT management firms in order to reach the breadth of their respective customers.
  • The attackers abused a variety of benign components, such as certutil.exe, Microsoft Defender, and stolen digital certificates as part of their execution chain.
  • At this point, this appears to be the largest mass-scale ransomware incident to date. In an unexpected twist, the attackers are offering a universal decryption tool for all victims at a lump sum of $50 million (originally $70 million).
  • In this post, we cover the attack’s execution chain, provide a video showing SentinelOne Singularity’s response against the attack, and provide indicators as well as hunting rules to assist defenders.

What Happened?

On Friday, July 2nd, 2021 a well-orchestrated, mass-scale, ransomware campaign was discovered targeting customers of Kaseya’s managed services software and delivering REvil ransomware. It was initially considered a supply chain attack, a safe assumption at that scale, but with time it became apparent that the attackers were instead leveraging a zero-day exploit against internet-facing Kaseya VSA servers.

Kaseya’s initial advisory underscored the severity of the situation as the company instructed customers to shut down VSA servers until further notice.

Initial statement from Kaseya

Since then, Kaseya has engaged the security community and triaged the root cause of this incident. This post seeks to unravel the infection chain, highlight relevant indicators, and clarify protections for our customers.

Malware execution chain

Kaseya VSA Exploit and Infection Chain

Current findings show logic flaws in one of the VSA components (dl.asp) may have led to an authentication bypass. The attackers could then use KUpload.dll to drop multiple files including ‘agent.crt’, a fake certificate that contains the malware dropper. Another dropped artifact, Screenshot.jpg, appears to be a JavaScript file and has only been partially recovered at this time. Specific details regarding the exact nature of the exploit used are still being discovered as the analysis is ongoing.

The suspected exploit chain ends with a SQL injection in userFilterTableRpt.asp in order to queue up a series of VSA procedures that would execute the malware and purge the logs. This activity was seen originating from a hijacked AWS EC2 instance 18.223.199[.]234. Additional activity was observed originating from 161.35.239[.]148 (DigitalOcean), 162.253.124[.]16 (Sapioterra), and 35.226.94[.]113 (Google Cloud).

REvil malware infection chain

The malicious procedure was labeled ‘Kaseya VSA Agent Hot-fix’. This is a series of commands that check for internet access and use PowerShell to disable a sequence of native Operating System security measures including real-time monitoring, intrusion prevention, network protection, and sample auto-submission. The procedure then invokes the native certutil.exe application commonly used to validate certificates and uses it to decode the contents of ‘agent.crt’ into an executable, agent.exe.

The agent.exe binary was compiled on July 1st, 2021 and acts as a dropper for two embedded executable resources, ‘MODLIS’ and ‘SOFTIS’.

Resources embedded in agent.exe

Resource 101, SOFTIS is an outdated legitimate Microsoft Defender executable that is being used to sideload the malicious payload. It’s worth noting that this delivery mechanism of a sideloading dyad (a two-part execution chain) has been used to deliver REvil as early as April 2021.

The payload itself is contained in resource 102, under the resource name ‘MODLIS’.

 SHA256 e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2 SHA1 e1d689bf92ff338752b8ae5a2e8d75586ad2b67b MD5 7ea501911850a077cf0f9fe6a7518859 Compilation Timestamp 2021-07-01 12:39:06 Signature Date 2021-07-02 23:15:00 Size 788.88 KB Digital Signature PB03 TRANSPORT LTD. 

In order for the malicious payload to be sideloaded by Microsoft Defender, the DLL is dropped at %WinDir%\MpSvc.dll and exports the functions ServiceCrtMain, ServiceMain, and SvchostPushServiceGlobals. The file is signed with a stolen digital certificate from a Canadian transport company. It’s one of several stolen certificates recently employed by REvil. The ransomware employs statically-linked OpenSSL to conduct its cryptographic operations. ServiceCRTMain() creates a thread that will deobfuscate the main payload.

While the IOCs directly relevant to the Kaseya incident are a specific subset, we have collected samples for a cluster of similar execution chains including the Microsoft Defender sideloading dyad and still valid stolen digital certificates. We have provided hashes and YARA signatures at the end of this post to help identify additional files signed with these stolen certificates.

During this process, netsh.exe (as we have seen with prior REvil samples) is also called, making the following adjustment to local firewall rules:

netsh.exe netsh advfirewall firewall set rule "group=Network Discovery" new enable=Yes

The following are still valid signers. We have provided YARA signatures at the end of this post to help identify additional files signed with these stolen certificates.

    thumbprint = “282ebc0a99a6328343a7d7706465778c3925adb6”
    thumbprint = “11ff68da43f0931e22002f1461136c662e623366”
  • OOO Saylent
    thumbprint = “0d61738e6407c01d5c9f477039fb581a5f81f436”

Encryption and Post Encryption Behavior

The Salsa20 encryption algorithm used by this variant of the REvil ransomware is incredibly fast compared to other common encryption algorithms and is an optimal choice for a ransomware operation of this magnitude. Other highly-prolific ransomware families have employed the same algorithm (e.g., DarkSide & later variations of Petya / GoldenEye).

Once the contents of the machine have been successfully encrypted, ransom notes are dropped alongside encrypted files and the machine’s wallpaper is changed to alert users to their predicament.

Ransom note displayed upon infection

The ransom note directs users to an .onion site and an alternative for those that don’t have access to TOR. The site asks for the key appended to the ransom note before providing a ransom amount for that specific endpoint, along with a timer that indicates how long the victim has to pay before the ransom demand increases. The standard demand for a non-corporate domain machine is the equivalent of $44,999 in Monero (XMR) or Bitcoin (BTC). Taking a broader view, the REvil gang has reportedly offered a universal decrypter for the eye-watering lump sum of $70 million (later amended to $50 million).

July 4th Update from the REvil gang

Latest Developments

On Monday, July 5, Kaseya announced they are developing a new patch for on-premise installations in order to assist customers in getting back to service. Kaseya also published a Compromise Detection Tool for customers to check if their on-premise installation had been actually compromised.

Since this outbreak, attackers have been scanning for Kaseya on-premise internet exposed servers using publicly available platforms such as This time window allows attack groups besides REvil to obtain immediate access over the internet to customer-sensitive networks.

This attack proves again the necessity for a modern EDR solution which defends against improper use of built-in operating system executables (LOLBINs), such as detecting certutil.exe writing executables or usage of signed software such as MsMpEng.exe running from unexpected locations and executing unexpected software.

This threat is detected and mitigated by SentinelOne:

SentinelOne vs REvil (Sodinokibi)
Preventing the Kaseya Ransomware Attack


While the full impact of this attack is still unfolding, it’s a further escalation in the sophistication of cybercrime, not only on the technical side but also in how the attack was orchestrated. It’s clear that the perpetrators are well aware of the PR implications and will use widespread disruptions to try to maximize the payouts. This is yet another reminder of why security products need to leverage the power of data, specifically rich behavioral data, and AI. Malware and ransomware are increasingly cunning and novel in their techniques to compromise devices. A data-driven and AI-powered approach creates an autonomous posture to cybersecurity. It’s not enough to use signature-based or human-powered legacy solutions to protect your organization’s attack surfaces as every second counts when defending from advanced attacks like this one.

While we continue to uncover the full ramifications of this attack, our advice to defenders is to always act under the assumption that their networks are already host to malicious actors. The exorbitant profits realized by cyber criminals will only add to the sophistication of the attacks we’ll continue to see, the means and motivations are already there. Ransomware is a reality that every organization must face operating in the digital age. Cybersecurity today has become a critical part of corporate operations: the ability for malicious actors to disrupt and profit has reached new levels of relevance as a possible existential threat to businesses.

Indicators of Compromise


agent.crt encoded dropper

agent.exe dropper


Additional recent REvil activity including dyad droppers and payloads with still valid stolen digital signatures:


MITRE TTPs Used in Kaseya Attack

T1112 – Modify Registry
T1012 – Query Registry
T1082 – System Information Discovery
T1120 – Peripheral Device Discovery
T1491 – Defacement
T1543.003 – Create or Modify System Process: Windows Service
T1036 – Masquerading
T1036.003 – Masquerading: Rename System Utilities
T1202 – Indirect Command Execution
T1486 – Data Encrypted for Impact
T1106 – Native API

YARA Hunting Rules for REvil/Kaseya Artifacts

 import "pe" import "math" rule cw_REvil_Kaseya_BUKTBAI_stolenCert { meta: desc = "Stolen digital certificate: BUKTAI" author = "JAG-S @ SentinelLabs" last_modified = "07.02.2021" version = "1.0" hash = "d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20" hash = "d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f" hash = "df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e" hash = "aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7" condition: uint16(0) == 0x5a4d and for any signer in pe.signatures: ( signer.subject == "/C=RU/L=Samara/O=BUKTBAI, OOO/CN=BUKTBAI, OOO" or signer.serial == "42:c1:64:9a:6b:80:64:0f:ad:7a:fb:b8:3e:29:81:52" or signer.thumbprint == "282ebc0a99a6328343a7d7706465778c3925adb6" ) } rule cw_REvil_Kaseya_PB03TRANSPORT_stolenCert { meta: desc = "Stolen digital certificate: PB03 TRANSPORT" author = "JAG-S @ SentinelLabs" last_modified = "07.02.2021" version = "1.0" hash = "8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd" hash = "e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2" hash = "d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e" condition: uint16(0) == 0x5a4d and for any signer in pe.signatures: ( signer.subject == "/C=CA/ST=Ontario/L=Brampton/O=PB03 TRANSPORT LTD./CN=PB03 TRANSPORT LTD." or signer.serial == "11:9a:ce:ad:66:8b:ad:57:a4:8b:4f:42:f2:94:f8:f0" or signer.thumbprint == "11ff68da43f0931e22002f1461136c662e623366" ) } rule cw_REvil_Kaseya_SAYLENT_stolenCert { meta: desc = "Stolen digital certificate: PB03 TRANSPORT" author = "JAG-S @ SentinelLabs" last_modified = "07.02.2021" version = "1.0" hash = "cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6" hash = "dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f" condition: uint16(0) == 0x5a4d and for any signer in pe.signatures: ( signer.subject == "/C=RU/L=Cherepovetz/O=OOO Saylent/CN=OOO Saylent" or signer.serial == "00:bd:df:46:f3:a2:de:7d:2b:fb:f5:16:9a:e9:76:d9:7e" or signer.thumbprint == "0d61738e6407c01d5c9f477039fb581a5f81f436" ) } rule cw_REvil_Kaseya_Dropper { meta: desc = "Dropper for Microsoft Defender + Sodinokibi DLL Sideload" author = "JAG-S @ SentinelLabs" last_modified = "07.02.2021" version = "1.0" hash = "df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e" hash = "dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f" hash = "aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7" hash = "81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471" strings: $drop_ransom = "mpsvc.dll" ascii wide fullword $drop_defender = "MsMpEng.exe" ascii wide fullword $drop_path = "C:\\Windows\\" wide fullword condition: uint16(0) == 0x5a4d and ( 2 of ($drop*) and pe.number_of_resources == 2 and for all rsrc in pe.resources: ( math.entropy(rsrc.offset, rsrc.length) >= 6.7 ) ) } 

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security