Last Updated: July 2021

A Holiday Weekend Nightmare

Let’s not sugarcoat it: the Kaseya VSA ransomware attack on July 2, 2021, was a masterclass in how legacy MFA fails when the stakes are highest. The REvil ransomware group exploited a zero-day vulnerability in Kaseya VSA—a remote monitoring tool used by thousands of managed service providers (MSPs)—to push a malicious update that crippled up to 1,500 businesses across five continents. Schools shut down, grocery chains like Sweden’s Coop couldn’t operate, and entire operations ground to a halt over a holiday weekend. REvil had the audacity to demand $70 million for a universal decryptor. And while the initial entry was a software flaw, the real damage came from stolen credentials and lateral movement inside networks. Legacy MFA? It didn’t stand a chance.

According to IBM’s 2025 Cost of a Data Breach Report, the global average cost of a breach now hits $4.44 million. Multiply that across 1,500 organizations, and you’ve got a financial bloodbath. Let’s tear into why legacy MFA rolled over and let this catastrophe unfold.

Where It All Went Wrong

Zero-Day Exploit: The Door Was Wide Open

The attack started with a zero-day vulnerability in Kaseya VSA, allowing REvil to inject a malicious update through the supply chain. MSPs, who trusted Kaseya for remote management, had no idea their systems were being weaponized against their own customers. Sure, a software flaw isn’t an MFA issue at first glance—but the second attackers got in, they needed credentials to do real damage. That’s where legacy MFA should have stepped up. Spoiler: it didn’t.

Credential Abuse: Legacy MFA Was a Paper Tiger

Once inside, REvil didn’t need to work hard. They harvested credentials—likely from phishing or prior leaks—and moved laterally across networks. Many MSPs and their clients relied on outdated MFA like SMS codes or push notifications, which are laughably easy to bypass with social engineering or man-in-the-middle tricks. Some accounts didn’t even have MFA at all. The result? Attackers waltzed into administrative systems like they owned the place. Legacy MFA couldn’t stop a toddler with a stolen password, let alone a sophisticated group like REvil.

Ransomware Spread: No Guardrails in Sight

With admin access in hand, REvil deployed ransomware to encrypt systems far and wide. Without robust, un-phishable authentication on privileged accounts, there was nothing to stop the spread. Legacy MFA’s reliance on stealable second factors meant that even “protected” accounts were just a phishing email away from compromise. The cascading impact hit businesses that didn’t even use Kaseya directly, proving how interconnected—and vulnerable—supply chains really are.

The Damage: A $70 Million Ransom Demand

This wasn’t just a breach; it was a global shakedown. REvil’s $70 million demand was one of the largest ransomware asks in history at the time. Beyond the ransom, the downtime costs for 1,500 businesses were astronomical. IBM’s 2025 Cost of a Data Breach Report pegs the average time to identify and contain a breach at 241 days—a timeline that spells doom for organizations already reeling from encrypted systems. Schools couldn’t teach, stores couldn’t sell, and MSPs lost client trust overnight. Legacy MFA didn’t just fail; it practically invited the disaster.

Why Legacy MFA Keeps Failing

Let’s be real: legacy MFA is built on a house of cards. It assumes a second factor like a text message or app notification is enough to stop attackers. Newsflash—it’s not. Phishing, SIM swapping, and push fatigue attacks bypass these measures daily. And when you’ve got a supply chain attack like Kaseya, where a single exploit can hit thousands of endpoints, you need authentication that’s actually secure, not just a checkbox for compliance. If you want to understand why prevention beats detection every time, check out Prevention — Not Detection.

The fix isn’t complicated, but it requires ditching legacy MFA entirely. The full technical breakdown of what actually works is at mfa2point0.com.

FAQ: What Frustrated IT Managers Want to Know

Q: Why does legacy MFA keep failing against ransomware?
A: Because it’s phishable, plain and simple. SMS codes, push notifications, even some hardware tokens can be stolen or tricked out of users. Ransomware gangs know this and exploit it every day.

Q: Our MSP swears their MFA is ‘good enough.’ How do I push back?
A: Point to Kaseya. ‘Good enough’ didn’t stop REvil from hitting 1,500 businesses. Ask for un-phishable, passwordless authentication that doesn’t rely on stealable factors. If they can’t provide it, they’re not serious about security.

Q: How do I convince leadership to ditch legacy MFA after a breach like this?
A: Show them the numbers—$4.44 million average breach cost (IBM 2025). Then show them Kaseya’s $70 million ransom demand. Ask if they’re willing to bet the company on outdated tech. That usually gets their attention.