In the summer of 2021, Wietse, Hidde (our team!) and other members of the Dutch Institute of Vulnerability Disclosure (DIVD), came painfully close to preventing one of the largest ransomware attacks in history. We discovered critical flaws in Kaseya’s VSA software. Flaws that, if left unpatched, could let criminals lock down thousands of businesses worldwide. We reported our findings, worked with Kaseya to fix the issues, and were just days away from rolling out the final patches.

Then, the REvil ransomware gang struck first.

The attack encrypted data for up to 1,500 organizations, from Swedish supermarkets to American schools. The hackers demanded $70 million to unlock it all. The Dutch team’s efforts, while heroic, were just a little too late. But their story isn’t about failure. It’s about what happens when expertise, persistence, and a sense of responsibility collide with the harsh realities of cybercrime.

The attack that was nearly prevented

The vulnerabilities in Kaseya’s software weren’t immediately obvious. We uncovered seven vulnerabilities in early April 2021 after careful analysis. We reported our findings to Kaseya, who started patching the system. But patching takes time. And in cybersecurity, time is something you don’t always have.

By July, REvil exploited one of the remaining unpatched flaws. They didn’t just target Kaseya. They used it as a gateway to infect hundreds of IT service providers and their clients. It was a supply chain attack, meaning the breach didn’t just hit one company. It rippled through entire networks, locking down businesses that had no idea they were even at risk.

We had seen this coming and warned Kaseya. Despite working tirelessly to fix the flaws, the attackers moved faster.

‍

Why this attack was different

Most cyberattacks target a single company or system. This one was different. By compromising Kaseya, REvil didn’t just hack a software provider. They hacked the providers of hundreds of other businesses. It was like breaking into a bank not to rob the vault, but to steal the keys to every safe deposit box inside.

The fallout was immediate. Companies in the U.S., Sweden, and the Netherlands found their systems locked, their data encrypted, and their operations grinding to a halt. The attack wasn’t just a technical failure. It was a reminder of how interconnected and how vulnerable our digital world really is.

‍

The human element: what machines can’t see

Automated scans and AI tools are incredible. They can find vulnerabilities faster than any human ever could. But they can’t fully predict how an attacker will think. They can’t anticipate the creative ways criminals chain flaws together or exploit systems in ways no one expected.

That’s where we come in.

We didn’t just find bugs. We understood the context. We asked questions like:

• How would a real attacker use this?

• What’s the worst that could happen?

• How do we stop it before it starts?

Our work wasn’t just about fixing code. It was about seeing the bigger picture, anticipating risks, and acting before it was too late. It’s a reminder that in cybersecurity, the best defense isn’t just technology. It’s the people behind it.

‍

Lessons for the rest of us

The Kaseya attack wasn’t just a wake-up call for IT providers. It was a lesson for every business that relies on digital systems. Here’s what we can take away:

• Assume you’re a target: If your systems can be exploited, assume someone is already trying. Proactive defense isn’t optional. It’s essential.

• Patch fast, patch smart: Delays in updating software can be catastrophic. The window between discovering a flaw and exploiting it is getting smaller every day.

• Collaborate: Security isn’t something you can do alone. Sharing knowledge, whether through organizations like DIVD or industry partnerships, makes everyone stronger.

• Invest in expertise: Tools are only as good as the people using them. The best security combines technology with human insight, curiosity, and experience.

At Eradix, this is how we approach security. We don’t just run scans or rely on automated tools. We think like attackers. We simulate real-world breaches. We help organizations build resilience, not just for the threats you know about, but for the ones they don’t.

‍

What happens next?

The Kaseya attack could have been much worse. Thanks to the work of our ethical hackers, the damage was contained, and Kaseya could warn potentially affected organizations way faster than without our contributions.

The next threat is already out there. The question isn’t if another attack will happen. It’s when. For organizations like yours, the message is clear. Security isn’t a one-time fix. It’s an ongoing process. Whether you’re a small business or a global enterprise, the time to act is now.

If you’re ready to take your security seriously, beyond scans, beyond assumptions, let’s talk. Because in a world where threats are always evolving, the best defense isn’t just better technology. It’s the people who use it wisely.

‍

Want to read more?

The ransomware attack and the work of Wietse and Hidde was well-covered in mainstream media. Read more about it here:

• https://nos.nl/artikel/2387973-nederlandse-ethische-hackers-probeerden-ransomware-aanval-te-voorkomen

• https://www.vn.nl/divd/

• https://www.bleepingcomputer.com/news/security/kaseya-was-fixing-zero-day-just-as-revil-ransomware-sprung-their-attack/amp/?__twitter_impression=true  

• https://therecord.media/kaseya-zero-day-involved-in-ransomware-attack-patches-coming/  

• https://www.bloomberg.com/news/articles/2021-07-04/mass-ransomware-hack-used-it-software-flaw-researchers-say?utm_source=url_link

• https://www.volkskrant.nl/nieuws-achtergrond/zelfs-de-supermarkt-is-doelwit-van-russische-hackers-een-van-de-ingrijpendste-aanvallen-ooit~bdab4527/?utm_campaign=shared_earned&utm_medium=social&utm_source=copylink

• https://www.ed.nl/eindhoven/op-een-haar-na-voorkwamen-nederlandse-vrijwilligers-wereldwijde-cyberaanval-van-beruchte-russische-criminelen-op-duizenden-bedrijven~aac4fc15/?referrer=https%3A%2F%2Fwww.google.com%2F

• https://thehackernews.com/2021/07/revil-used-0-day-in-kaseya-ransomware.html

• https://fortune.com/2021/07/05/ransomware-exploit-hackers-skill-kaseya-security/

• https://gigazine.net/news/20210705-revil-ransomeware-gang-msp-supply-chain-attack/

• https://nltimes.nl/2021/07/05/dutch-team-day-away-saving-kaseya-hackers-struck-ransomware-demand-hits-70-million

• https://www.agconnect.nl/artikel/ransomwaregat-kaseya-was-al-ontdekt-en-gemeld-door-divd

• https://www.computable.be/artikel/nieuws/security/7210136/5440850/massale-ransomware-aanval-via-kaseya.html

• https://www.bndestem.nl/tech/daders-internationale-megahack-eisen-70-miljoen-dollar-losgeld~ad33633d/

• https://www.trouw.nl/economie/nederlandse-vrijwilligers-hadden-de-wereldwijde-ransomware-aanval-bijna-voorkomen~b2e52b77/?referrer=https%3A%2F%2Fwww.google.com%2F  

• https://isc.sans.edu/podcastdetail.html?id=7570

• https://www.wsj.com/articles/software-firm-at-center-of-ransomware-attack-was-warned-of-cyber-flaw-in-april-11625673291?mod=hp_lead_pos4

• https://www.wired.com/story/revil-ransomware-supply-chain-technique

• https://www.wired.com/story/revil-ransomware-kaseya-flaw-fix-disclosure-april/

• https://www.techtarget.com/searchsecurity/news/252503766/Dutch-researchers-shed-new-light-on-Kaseya-vulnerabilities

• https://www.thehaguesecuritydelta.com/news/newsitem/1903-the-dutch-institute-for-vulnerability-disclosure-divd-is-doing-good-for-bv-nederland

• https://www.groene.nl/artikel/voor-niets

• https://threatpost.com/zero-days-kaseya-unitrends-backup-servers/168180/

• https://fd.nl/futures/1406092/was-de-megahack-via-kaseya-te-voorkomen

• https://www.zerocopter.com/blog-en/kaseya-ransomware-attack-interview-with-the-dutch-institute-for-vulnerability-disclosure

• https://thehackernews.com/2021/08/kaseya-issues-patches-for-two-new-0-day.html

• https://www.aviationanalysis.net/these-ethical-hackers-could-easily-disable-millions-of-solar-panels-then-youd-have-a-national-blackout/

• https://www.dutchitchannel.nl/news/466946/zero-days-maken-overnemen-van-enphase-iq-gateway-mogelijk

• https://www.ftm.nl/artikelen/hacker-kan-stekker-uit-zonnepanelen-trekken-en-stroomnet-platleggen

• https://beveiligingnieuws.nl/grote-kwetsbaarheid-stroomnet-ontdekt/