Kaseya VSA REvil Ransomware Attack Audit

Find Kaseya VSA Components

Kaseya reported that on July 2, there was a potential attack against their VSA module. However, it was immediately followed with the suggestions that customers immediately shut down their VSA servers. "It's critical that you do this immediately because one of the first things the attacker does is shut off administrative access to the VSA.", said their CEO.

At the same time, Kaseya also shut down all of its cloud servers. According to the FBI the attack is a "supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers." It is estimated that over 1000 companies have been hit by the REvil ransomware which is distributed via an automated, fake, and malicious software update using Kaseya VSA dubbed "Kaseya VSA Agent Hot-fix". The attackers were able to use a 0-day vulnerability disclosed to Kaseya earlier by the Dutch Institute for Vulnerability Disclosure (DIVD) to launch their attack. Reportedly Kaseya was in the midst of validating a patch that would have fixed the vulnerability when the attack was launched.

In addition to shutting down Kaseya VSA servers, a Kaseya VSA Detection script has been provided to check if machines either running server or agent components have been compromised. Meanwhile the group behind the attack has posted a blog where they claim that they have compromised more than a million systems and are willing to negotiate for a universal decryptor for $70 million.


To help you get an overview of all Kaseya connected devices, we've created a special report that lists all assets that meet one of the following criteria:

  • Has a service with "Kaseya" in the name (either server components or endpoint client).
  • Has a database with the name "ksubscribers", the common Kaseya database name.


Kaseya VSA REvil Ransomware Attack Query

Select Top 1000000 tblAssets.AssetID,
Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
tsysOS.OSname As OS,
Service.[Service Name],
Service.[Service Path],
Service.[Service Start Mode],
Service.[Service State],
DB.displayVersion As [SQL Version],
DB.skuName As [SQL Edition],
DB.name As [DB name],
DB.dataFilesSizeKb As [DB Size],
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
Inner Join tblState On tblState.State = tblAssetCustom.State
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID =
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
Left Join (Select tblServices.AssetID,
tblServicesUni.Caption As [Service Name],
tblServicesUni.Pathname As [Service Path],
tblServiceStartMode.StartMode As [Service Start Mode],
tblServiceState.State As [Service State]
From tblServices
Inner Join tblServicesUni On tblServicesUni.ServiceuniqueID =
Inner Join tblServiceStartMode On tblServiceStartMode.StartID =
Inner Join tblServiceState On tblServiceState.StateID =
Where tblServicesUni.Caption Like '%Kaseya%') As Service On
Service.AssetID = tblAssets.AssetID
Left Join (Select tblSqlServers.AssetID,
From tblSqlServers
Inner Join tblSqlDatabases On tblSqlDatabases.sqlServerId =
Where tblSqlDatabases.name = 'ksubscribers') As DB On DB.AssetID =
Where (Service.[Service Name] Is Not Null Or DB.name Is Not Null) And
tblState.Statename = 'Active'
Order By tblAssets.Domain,

Audit and Take Action in 3 Easy Steps


1. Download & Install Lansweeper


3. Run the Audit & Take Action

Download Lansweeper to Run this Audit

Harness the Power of Reporting