On Friday, a flood of ransomware hit hundreds of companies around the world.

The victims had something in common: a key piece of network management and remote control software developed by U.S. technology firm Kaseya. The Miami-headquartered company makes software used to remotely manage a company’s IT networks and devices. That software is sold to managed service providers — effectively outsourced IT departments — which they then use to manage the networks of their customers, often smaller companies.

But hackers associated with the Russia-linked REvil ransomware-as-a-service group are believed to have used a never-before-seen security vulnerability in the software’s update mechanism to push ransomware to Kaseya’s customers, which in turn spread downstream to their customers. Many of the companies who were ultimately victims of the attack may not have known that their networks were monitored by Kaseya’s software.

Kaseya warned customers on Friday to “IMMEDIATELY” shut down their on-premise servers, and its cloud service — though not believed to be affected — was pulled offline as a precaution.

“[Kaseya] showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint.”Security researcher Victor Gevers

John Hammond, senior security researcher at Huntress Labs, a threat detection firm that was one of the first to reveal the attack, said about 30 managed service providers were hit, allowing the ransomware to spread to “well over” 1,000 businesses.” Security firm ESET said it knows of victims in 17 countries, including the U.K., South Africa, Canada, New Zealand, Kenya, and Indonesia.

On Monday night, Kaseya said in an update that about 60 Kaseya customers were affected and put the downstream number of victims at fewer than 1,500 companies.

Now it’s becoming clearer just how the hackers pulled off one of the biggest ransomware attacks in recent history.

Dutch researchers said they found several zero-day vulnerabilities in Kaseya’s software as part of an investigation into the security of web-based administrator tools. (Zero-days are named as such since it gives companies zero days to fix the problem.) The bugs were reported to Kaseya and were in the process of being fixed when the hackers struck, said Victor Gevers, who heads the group of researchers, in a blog post.

Kaseya’s chief executive Fred Voccola told The Wall Street Journal that its corporate systems were not compromised, lending greater credence to the working theory by security researchers that servers run by Kaseya’s customers were compromised individually using a common vulnerability.