{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,2]],"date-time":"2026-06-02T04:49:33Z","timestamp":1780375773270,"version":"3.54.1"},"reference-count":82,"publisher":"Institution of Engineering and Technology (IET)","issue":"1","license":[{"start":{"date-parts":[[2025,1,31]],"date-time":"2025-01-31T00:00:00Z","timestamp":1738281600000},"content-version":"vor","delay-in-days":30,"URL":"http:\/\/creativecommons.org\/licenses\/by\/4.0\/"},{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/doi.wiley.com\/10.1002\/tdm_license_1.1"}],"content-domain":{"domain":["ietresearch.onlinelibrary.wiley.com"],"crossmark-restriction":true},"short-container-title":["IET Information Security"],"published-print":{"date-parts":[[2025,1]]},"abstract":"<jats:p>In July 2021, the IT management software company Kaseya was the victim of a ransomware cyberattack. The perpetrator of this attack was ransomware evil (REvil), an allegedly Russian\u2010based ransomware threat group. This paper addresses the general events of the incident and the actions executed by the constituents involved. The attack was conducted through specially crafted hypertext transfer protocol (HTTP) requests to circumvent authentication and allow hackers to upload malicious payloads through Kaseya\u2019s virtual system administrator (VSA). The attack led to the emergency shutdown of many VSA servers and a federal investigation. REvil has had a tremendous impact performing ransomware operations, including worsening international relations between Russia and world leaders and costing considerable infrastructure damage and millions of dollars in ransom payments. We present an overview of Kaseya\u2019s defense strategy involving customer interaction, a PowerShell script to detect compromised clients, and a cure\u2010all decryption key that unlocks all locked files.<\/jats:p>","DOI":"10.1049\/ise2\/1655307","type":"journal-article","created":{"date-parts":[[2025,1,31]],"date-time":"2025-01-31T05:55:22Z","timestamp":1738302922000},"update-policy":"https:\/\/doi.org\/10.1002\/crossmark_policy","source":"Crossref","is-referenced-by-count":5,"title":["Analyzing the 2021 Kaseya Ransomware Attack: Combined Spearphishing Through SonicWall SSLVPN Vulnerability"],"prefix":"10.1049","volume":"2025","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3587-3509","authenticated-orcid":false,"given":"Suman","family":"Bhunia","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Matthew","family":"Blackert","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Henry","family":"Deal","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Andrew","family":"DePero","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5852-4139","authenticated-orcid":false,"given":"Amar","family":"Patra","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"265","published-online":{"date-parts":[[2025,1,31]]},"reference":[{"key":"e_1_2_13_1_2","unstructured":"BaM. H. N. BennettJ. GallagherM. andBhuniaS. A Case Study of Credential Stuffing Attack: Canva Data Breach International Conference on Computational Science and Computational Intelligence (CSCI) 2021 IEEE."},{"key":"e_1_2_13_2_2","doi-asserted-by":"crossref","unstructured":"SterleL.andBhuniaS. On SolarWinds Orion Platform Security Breach 2021 IEEE SmartWorld Ubiquitous Intelligence Computing Advanced Trusted Computing Scalable Computing Communications Internet of People and Smart City Innovation (SmartWorld\/SCALCOM\/UIC\/ATC\/IOP\/SCI) 2021 IEEE.","DOI":"10.1109\/SWC50871.2021.00094"},{"key":"e_1_2_13_3_2","doi-asserted-by":"crossref","unstructured":"HuddlestonJ. JiP. BhuniaS. andJoelC. How VMware Exploits Contributed to SolarWinds Supply-Chain Attack International Conference on Computational Science and Computational Intelligence (CSCI) 2021 IEEE.","DOI":"10.1109\/CSCI54926.2021.00190"},{"key":"e_1_2_13_4_2","doi-asserted-by":"crossref","unstructured":"GibsonB. LewisD. TownesS. andBhuniaS. Vulnerability in Massive API Scraping: 2021 LinkedIn Data Breach International Conference on Computational Science and Computational Intelligence (CSCI) 2021 IEEE.","DOI":"10.1109\/CSCI54926.2021.00191"},{"key":"e_1_2_13_5_2","doi-asserted-by":"crossref","unstructured":"RudieJ. KatzZ. KuhbanderS. andBhuniaS. Technical Analysis of the nso Group\u2019s Pegasus Spyware International Conference on Computational Science and Computational Intelligence (CSCI) 2021 IEEE.","DOI":"10.1109\/CSCI54926.2021.00188"},{"key":"e_1_2_13_6_2","unstructured":"Kaseya Unified IT Management Software 2023."},{"key":"e_1_2_13_7_2","unstructured":"TidyJ. Swedish Coop Supermarkets Shut due to US Ransomware Cyber-Attack 2023."},{"key":"e_1_2_13_8_2","unstructured":"MukherjeeS.andFultonC. Coop Other Ransomware-Hit Firms Could Take Weeks to Recover Say Experts 2023."},{"key":"e_1_2_13_9_2","unstructured":"RileyD. Swiss Supermarket Chain Offline as REvil Campaign Targets Kaseya VSA 2023."},{"key":"e_1_2_13_10_2","unstructured":"Kaseya \u201cKaseya Ceo Fred Voccola Addresses Cyberattack and Next Steps for Vsa Customers 2021 https:\/\/www.youtube.com\/watch?v=XfAyutRfy2A."},{"key":"e_1_2_13_11_2","unstructured":"C. I. S. Agency \u201cKaseya Ransomware Attack: Guidance for Affected Msps and Their Customers 2021."},{"key":"e_1_2_13_12_2","unstructured":"Mandiant 2023 https:\/\/www.mandiant.com\/."},{"key":"e_1_2_13_13_2","unstructured":"Fireeye 2023 https:\/\/www.fireeye.com."},{"key":"e_1_2_13_14_2","doi-asserted-by":"publisher","DOI":"10.1177\/20438869241299823"},{"key":"e_1_2_13_15_2","doi-asserted-by":"publisher","DOI":"10.62123\/enigma.v2i1.31"},{"key":"e_1_2_13_16_2","doi-asserted-by":"crossref","unstructured":"BeermanJ. BerentD. FalterZ. andBhuniaS. A Review of Colonial Pipeline Ransomware Attack 2023 IEEE\/ACM 23rd International Symposium on Cluster Cloud and Internet Computing Workshops (CCGridW) 2023 IEEE 8\u201315.","DOI":"10.1109\/CCGridW59191.2023.00017"},{"key":"e_1_2_13_17_2","unstructured":"Kaseya \u201cKaseya Help Desk: Attack Timeline 2021 https:\/\/helpdesk.kaseya.com\/hc\/en-gb\/articles\/4403440684689-Important-Notice-August-4th-2021."},{"key":"e_1_2_13_18_2","unstructured":"NewmanA. The Kaseya Platform: Born to Be Secure 2013 https:\/\/www.kaseya.com\/blog\/2013\/05\/20\/the-kaseya-platform-born-to-be-secure\/."},{"key":"e_1_2_13_19_2","unstructured":"InsightsH. Companies Currently Using Kaseya Vsa 2021 https:\/\/discovery.hgdata.com\/product\/kaseya-vsa."},{"key":"e_1_2_13_20_2","unstructured":"R. F. T. A. K. Company Compliance Manager 2021 https:\/\/www.kaseya.com\/products\/compliance-manager\/."},{"key":"e_1_2_13_21_2","unstructured":"Kaseya THE WORLD\u2019S #1 RMM SOLUTION 2023."},{"key":"e_1_2_13_22_2","unstructured":"C. A. K. Company \u201cAutomation Exchange 2021 https:\/\/www.community.connectit.com\/automation-exchange\/."},{"key":"e_1_2_13_23_2","volume-title":"The Practice of System and Network Administration","author":"Limoncelli T. A.","year":"2007"},{"key":"e_1_2_13_24_2","unstructured":"MITRE \u201cRansomware: Getting Started Guide and Deep Dive Into Revil 2022."},{"key":"e_1_2_13_25_2","article-title":"Ransomware Groups on Notice: Us Cyber Operation Against Revil Is Permissible Under International Law","volume":"38","author":"Singh J.","year":"2023","journal-title":"American University International Law Review"},{"key":"e_1_2_13_26_2","doi-asserted-by":"publisher","DOI":"10.1177\/20438869221110246"},{"key":"e_1_2_13_27_2","doi-asserted-by":"publisher","DOI":"10.13169\/statecrime.12.1.0004"},{"key":"e_1_2_13_28_2","unstructured":"N.V.D. (NVD) \u201cCVE-2015-2862 2024 https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2015-2862."},{"key":"e_1_2_13_29_2","unstructured":"N.V.D. (NVD) CVE-2015-2863 2021 https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2015-2863."},{"key":"e_1_2_13_30_2","unstructured":"N. I. of Standards and Technology Cve-2015-2862 Detail 2015 https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2015-2862."},{"key":"e_1_2_13_31_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2023.3300381"},{"key":"e_1_2_13_32_2","doi-asserted-by":"publisher","DOI":"10.1177\/08404704231196144"},{"key":"e_1_2_13_33_2","unstructured":"MennJ.andBingC. EXCLUSIVE Governments Turn Tables on Ransomware Gang REvil by Pushing It Offline 2023."},{"key":"e_1_2_13_34_2","unstructured":"MennJ.andBingC. \u201cExclusive Governments Turn Tables on Ransomware Gang Revil by Pushing It Offline 2021."},{"key":"e_1_2_13_35_2","doi-asserted-by":"publisher","DOI":"10.1002\/9781394175512.ch9"},{"key":"e_1_2_13_36_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.eij.2024.100445"},{"key":"e_1_2_13_37_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2024.3361039"},{"key":"e_1_2_13_38_2","doi-asserted-by":"publisher","DOI":"10.20895\/infotel.v16i2.1091"},{"key":"e_1_2_13_39_2","unstructured":"LakshmananR. \u201cRevil Ransomware Gang Goes Underground After Tor Sites Were Compromised 2021 https:\/\/thehackernews.com\/2021\/10\/revil-ransomware-gang-goes-underground.html."},{"key":"e_1_2_13_40_2","doi-asserted-by":"publisher","DOI":"10.1093\/cybsec\/tyab008"},{"key":"e_1_2_13_41_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2021.102248"},{"key":"e_1_2_13_42_2","doi-asserted-by":"publisher","DOI":"10.1109\/OJCOMS.2021.3074591"},{"key":"e_1_2_13_43_2","doi-asserted-by":"crossref","unstructured":"FranckB.andReithM. Developing Mandatory Reporting for Cyber-Attacks on us Businesses European Conference on Cyber Warfare and Security 2022 70\u201377.","DOI":"10.34190\/eccws.21.1.308"},{"key":"e_1_2_13_44_2","unstructured":"FBI \u201cFbi Statement on Kaseya Ransomware Attack 2021 https:\/\/www.fbi.gov\/news\/pressrel\/press-releases\/fbi-statement-on-kaseya-ransomware-attack."},{"key":"e_1_2_13_45_2","doi-asserted-by":"crossref","unstructured":"BaM. H. N. BennettJ. GallagherM. andBhuniaS. A Case Study of Credential Stuffing Attack: Canva Data Breach 2021 International Conference on Computational Science and Computational Intelligence (CSCI) 2021 IEEE 735\u2013740.","DOI":"10.1109\/CSCI54926.2021.00187"},{"key":"e_1_2_13_46_2","doi-asserted-by":"crossref","unstructured":"KieselK. DeepT. FlahertyA. andBhuniaS. Analyzing Multi-Vector Ransomware Attack on Accellion File Transfer Appliance Server 2022 7th International Conference on Smart and Sustainable Technologies (SpliTech) 2022 IEEE 1\u20136.","DOI":"10.23919\/SpliTech55088.2022.9854275"},{"key":"e_1_2_13_47_2","doi-asserted-by":"crossref","unstructured":"CaroscioE. PaulJ. MurrayJ. andBhuniaS. Analyzing the Ransomware Attack on D.C. Metropolitan Police Department by Babuk IEEE International Systems Conference (SysCon) 2022 IEEE.","DOI":"10.1109\/SysCon53536.2022.9773935"},{"key":"e_1_2_13_48_2","unstructured":"Vsa Detection Tool 2021 https:\/\/kaseya.app.box.com\/s\/p9b712dcwfsnhuq2jmx31ibsuef6xict."},{"key":"e_1_2_13_49_2","doi-asserted-by":"crossref","unstructured":"WangX. On the Feasibility of Detecting Software Supply Chain Attacks MILCOM 2021-2021 IEEE Military Communications Conference (MILCOM) 2021 IEEE 458\u2013463.","DOI":"10.1109\/MILCOM52596.2021.9652901"},{"key":"e_1_2_13_50_2","unstructured":"Team Huntress Huntress vsa Vaccine: Acting Like Hackers to Protect our Partners 2021."},{"key":"e_1_2_13_51_2","doi-asserted-by":"crossref","unstructured":"DalviA. KulkarniP. KoreA. andBhirudS. Dark Web Crawling for Cybersecurity: Insights Into Vulnerabilities and Ransomware Discussions 2023 2nd International Conference for Innovation in Technology (INOCON) 2023 IEEE 1\u20136.","DOI":"10.1109\/INOCON57975.2023.10101162"},{"key":"e_1_2_13_52_2","doi-asserted-by":"crossref","unstructured":"VehabovicA. ZanddizariH. andGhaniN. et al.Data-Centric Machine Learning Approach for Early Ransomware Detection and Attribution NOMS 2023-2023 IEEE\/IFIP Network Operations and Management Symposium 2023 IEEE 1\u20136.","DOI":"10.1109\/NOMS56928.2023.10154378"},{"key":"e_1_2_13_53_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.iotcps.2023.12.001"},{"key":"e_1_2_13_54_2","article-title":"2024 World Scientific Publishing Company","volume":"3","author":"Akter S. S.","year":"2023","journal-title":"Practical Guide On Security and Privacy In Cyber-Physical Systems, A: Foundations, Applications and Limitations"},{"key":"e_1_2_13_55_2","first-page":"113","volume-title":"A Practical Guide on Security and Privacy in Cyber-Physical Systems: Foundations, Applications and Limitations","author":"Akter S. S.","year":"2024"},{"key":"e_1_2_13_56_2","first-page":"44","article-title":"Towards Resilient Cyber Infrastructure: Optimizing Protection Strategies With Ai and Machine Learning in Cybersecurity Paradigms","volume":"7","author":"Petrovic N.","year":"2023","journal-title":"International Journal of Information and Cybersecurity"},{"key":"e_1_2_13_57_2","unstructured":"Features 2023 https:\/\/support.huntress.io\/hc\/en-us\/categories\/4405194433811-Features."},{"key":"e_1_2_13_58_2","doi-asserted-by":"publisher","DOI":"10.21108\/ijoict.v10i1.940"},{"key":"e_1_2_13_59_2","doi-asserted-by":"publisher","DOI":"10.1145\/3677374"},{"key":"e_1_2_13_60_2","unstructured":"[Updated] Threat Spotlight: Sodinokibi\/Revil Ransomware 2021 https:\/\/blog.malwarebytes.com\/threat-spotlight\/2019\/07\/threat-spotlight-sodinokibi-ransomware-attempts-to-fill-gandcrab-void\/."},{"key":"e_1_2_13_61_2","unstructured":"The Wireshark Team Wireshark User\u2019s Guide 2024."},{"key":"e_1_2_13_62_2","unstructured":"M. T. Analysis.NET A Source for pcap Files and Malware Samples 2021 https:\/\/www.malware-traffic-analysis.net\/index.html."},{"key":"e_1_2_13_63_2","unstructured":"Palo Alto Networks Wireshark Tutorial: Examining Qakbot Infections 2021 https:\/\/unit42.paloaltonetworks.com\/tutorial-qakbot-infection\/."},{"key":"e_1_2_13_64_2","unstructured":"Palo Alto Networks Wireshark Tutorial: Examining Ursnif Infections. 2021 https:\/\/unit42.paloaltonetworks.com\/wireshark-tutorial-examining-ursnif-infections\/."},{"key":"e_1_2_13_65_2","unstructured":"BainesJ. Sonicwall sma 10.2.1.0-17sv Password Reset 2021 https:\/\/packetstormsecurity.com\/files\/164564\/SonicWall-SMA-10.2.1.0-17sv-Password-Reset.html."},{"key":"e_1_2_13_66_2","unstructured":"Kaseya Incident Overview & Technical Details 2021 https:\/\/helpdesk.kaseya.com\/hc\/en-gb\/articles\/4403584098961."},{"key":"e_1_2_13_67_2","unstructured":"KundaliyaD. Russia\u2019s New Cyber Laws Will Fuel Online Crime Claims Report 2021."},{"key":"e_1_2_13_68_2","unstructured":"KhayryuzovV. The Privacy Data Protection and Cybersecurity Law Review: Russia 2021 https:\/\/thelawreviews.co.uk\/title\/the-privacy-data-protection-and-cybersecurity-law-review\/russia."},{"key":"e_1_2_13_69_2","unstructured":"BBC Revil: Ransomware Gang Websites Disappear From Internet 2021 https:\/\/www.bbc.com\/news\/technology-57826851."},{"key":"e_1_2_13_70_2","unstructured":"MennJ.andBingC. Governments Turn Tables on Ransomware Gang Revil by Pushing It Offline 2021."},{"key":"e_1_2_13_71_2","unstructured":"LubinA. Cyber Plungers: Colonial Pipeline and the Case for an Omnibus Cybersecurity Legislation 2023."},{"key":"e_1_2_13_72_2","unstructured":"P.S. CNBC National Gas Average Tops 3.02 a Gallon as Hacked Pipeline Slowly Restarts 2021."},{"key":"e_1_2_13_73_2","unstructured":"VaronisR. S. 134 Cybersecurity Statistics and Trends for 2021 2021."},{"key":"e_1_2_13_74_2","unstructured":"PurpleSec 2021 Cyber Security Statistics the Ultimate List of Stats Data & Trends 2021."},{"key":"e_1_2_13_75_2","doi-asserted-by":"crossref","unstructured":"Pag\u00e1nA.andElleithyK. A Multi-Layered Defense Approach to Safeguard Against Ransomware 2021 IEEE 11th Annual Computing and Communication Workshop and Conference (CCWC) 2021 IEEE 0942\u20130947.","DOI":"10.1109\/CCWC51732.2021.9375988"},{"key":"e_1_2_13_76_2","doi-asserted-by":"publisher","DOI":"10.1145\/3514229"},{"key":"e_1_2_13_77_2","unstructured":"Vsa Saas Startup Guide 2021 https:\/\/helpdesk.kaseya.com\/hc\/en-gb\/articles\/4403709476369."},{"key":"e_1_2_13_78_2","unstructured":"On Premises vsa Startup Readiness Guide 2021 https:\/\/helpdesk.kaseya.com\/hc\/en-gb\/articles\/4403709150993."},{"key":"e_1_2_13_79_2","unstructured":"WarrenR.andWhitehouseO. Confirmed Zero-Day Vulnerability in the Sonicwall SMA100 Build Version 10.X 2021."},{"key":"e_1_2_13_80_2","doi-asserted-by":"publisher","DOI":"10.1145\/3440712"},{"key":"e_1_2_13_81_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2020.101745"},{"key":"e_1_2_13_82_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2019.101619"}],"container-title":["IET Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/ietresearch.onlinelibrary.wiley.com\/doi\/pdf\/10.1049\/ise2\/1655307","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/ietresearch.onlinelibrary.wiley.com\/doi\/full-xml\/10.1049\/ise2\/1655307","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/ietresearch.onlinelibrary.wiley.com\/doi\/pdf\/10.1049\/ise2\/1655307","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,3,8]],"date-time":"2026-03-08T22:33:15Z","timestamp":1773009195000},"score":1,"resource":{"primary":{"URL":"https:\/\/ietresearch.onlinelibrary.wiley.com\/doi\/10.1049\/ise2\/1655307"}},"subtitle":[],"editor":[{"given":"Helena","family":"Rif\u00e0-Pous","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"editor"}]}],"short-title":[],"issued":{"date-parts":[[2025,1]]},"references-count":82,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2025,1]]}},"alternative-id":["10.1049\/ise2\/1655307"],"URL":"https:\/\/doi.org\/10.1049\/ise2\/1655307","archive":["Portico"],"relation":{},"ISSN":["1751-8709","1751-8717"],"issn-type":[{"value":"1751-8709","type":"print"},{"value":"1751-8717","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,1]]},"assertion":[{"value":"2024-02-27","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-01-03","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-01-31","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"1655307"}}