The Kaseya Attack: Why Supply Chain Security Is Every Founder's Problem

On 2 July 2021 — the Friday before America's Independence Day weekend — the REvil ransomware group launched what would become the largest ransomware attack in history up to that point. The target was not a single company but an entire ecosystem. By exploiting a zero-day vulnerability in Kaseya's VSA (Virtual System Administrator) platform, the attackers compromised approximately 60 managed service providers (MSPs) and, through them, up to 2,000 downstream organisations across at least 17 countries.

The attack was surgically elegant. Kaseya VSA was a remote monitoring and management tool used by MSPs to administer their clients' IT infrastructure. By compromising VSA, the attackers gained the same privileged access that MSPs used to manage thousands of endpoints. A single vulnerability in a single vendor's product cascaded into a global incident that encrypted systems at supermarket chains, dental practices, accounting firms, and small businesses that had never heard of Kaseya.

REvil initially demanded $70 million in Bitcoin for a universal decryptor — a price that reflected the scale of the attack and the group's understanding of the aggregate pain they had inflicted.

The Kaseya attack exemplified a supply chain attack vector that had been growing in sophistication since the SolarWinds breach disclosed in December 2020. Rather than attacking 2,000 organisations individually, the attackers identified a force multiplier — a trusted vendor whose software ran with elevated privileges across thousands of environments — and compromised that single point of leverage.

The zero-day vulnerability exploited in VSA (CVE-2021-30116) was an authentication bypass that allowed the attackers to deploy ransomware through VSA's own software distribution mechanism. From the perspective of the target systems, the malicious payload appeared to come from a trusted management tool. Endpoint security solutions that whitelisted VSA processes did not flag the activity. The attack weaponised the trust that organisations placed in their technology vendors.

What made this particularly devastating for small and mid-market businesses was that many of them had outsourced their IT management to MSPs precisely because they lacked the internal resources to manage security themselves. The Kaseya attack revealed that outsourcing IT management does not outsource IT risk — it concentrates it in the security posture of your service provider.

The Kaseya attack exposed a critical gap in how most organisations approach security: vendor risk management. Even businesses with robust internal security controls often have minimal visibility into the security practices of their technology vendors. They evaluate vendors on features, price, and service quality — but rarely conduct meaningful security assessments of the software supply chain.

For the founder-led businesses I work with through my consulting practice, this blind spot is particularly dangerous. These organisations typically rely on a concentrated set of critical vendors — cloud platforms, SaaS applications, MSPs, and payment processors. A security failure at any one of these vendors can cascade into an existential threat for the businesses that depend on them.

The practical challenge is that most mid-market businesses lack the resources to conduct enterprise-grade vendor security assessments. The solution is not to perform exhaustive audits of every vendor, but to identify the vendors with the most privileged access to your systems and data, and to apply proportionate scrutiny to their security practices, certifications, incident response capabilities, and contractual commitments.

The aftermath of the Kaseya attack offered several instructive developments. Kaseya obtained a universal decryptor on 22 July — reportedly through law enforcement cooperation rather than ransom payment — and distributed it to affected organisations. REvil's infrastructure went offline shortly thereafter, though the group would briefly resurface before its members were arrested.

The attack accelerated several industry trends. Cyber insurance premiums increased significantly, with underwriters demanding more detailed information about supply chain dependencies. The Cybersecurity and Infrastructure Security Agency (CISA) intensified its focus on MSP security, issuing specific guidance for managed service providers and their clients. The concept of a "Software Bill of Materials" (SBOM) — a comprehensive inventory of all software components in a product — gained momentum as a tool for supply chain transparency.

For businesses, the most important lesson was that supply chain security is not a vendor's problem — it is a shared responsibility. Understanding your vendor dependencies, assessing their security posture, and planning for vendor-originated incidents must be part of your security strategy.

Post-Kaseya, every business should implement a proportionate supply chain security framework. This includes maintaining a current inventory of all critical technology vendors and their access levels, requiring security certifications (SOC 2, ISO 27001) from vendors with privileged access, establishing contractual requirements for incident notification and cooperation, testing incident response plans that include vendor-originated breach scenarios, and evaluating the concentration risk of relying on any single vendor for critical capabilities.

These measures do not require enterprise-scale budgets. They require discipline, prioritisation, and the recognition that your security perimeter now extends to encompass every vendor in your technology stack. The Kaseya attack proved that a single vulnerability in a single vendor's product can cascade into a crisis affecting thousands of businesses. The question is whether your organisation will be prepared when — not if — a similar supply chain compromise affects your vendors.

If your business needs to evaluate its supply chain security posture or develop a vendor risk management framework, I can help you build a practical, proportionate approach. Get in touch to discuss your specific vulnerabilities and priorities.