The ransomware gang that attacked Kaseya locked systems down and Requested ransom payments from end-user organizations skipping MSPs and Kaseya himself, said Fred Voccola, CEO of Kaseya.
Voccola told CRN that the ransomware attacker was only looking for money from end customers and not from the 50 or so MSPs compromised by a local version of Kaseya’s remote VSA monitoring and management tool. The ransomware group REvil demanded $ 50,000 from smaller victims and $ 5 million from larger victims, according to The Washington Post.
“These attacks have become much more sophisticated,” said Voccola on Saturday afternoon. “They are smart people.”
Kaseya’s technical teams work around the clock with affected end customers and MSPs, particularly helping them navigate the cyber insurance process and, from a legal perspective, deal with federal and state authorities. The company has also been able to help victims with technical response and add value, Voccola said.
“As a company, we have a lot of resources and many of our customers don’t,” said Voccola. “So often all they have to do is speak to a lawyer, they need someone to review their logs. All we can do to help [we will]“Said Voccola, referring specifically to the company’s large in-house legal department, external legal resources, and backup and recovery experts.
Of the 50 MSPs affected by the cyber attack, Voccola said that only a subset of their end customers were subsequently hit, meaning that not every device under the management of those MSPs was ultimately ransomed. This is different from what Huntress Senior Security Researcher John Hammond foundwho said the ransomware spread from the compromised MSP through the VSA and into all clients of the MSP.
According to Voccola, the vulnerability exploited by the ransomware gang was only available in a small instance of Kaseya’s 6,500 on-premise customers. He declined to comment on whether the affected MSPs had two-factor authentication and other security controls and best practices. Two-factor authentication is enabled by default in Kaseya’s VSA product, Voccola said.
According to Voccola, Kaseya has identified the vulnerability and developed a patch and is currently having two third-party organizations carry out penetration tests for the patch and carry out their own quality assurance measures. It assumes that access to both the local and SaaS versions of VSA will be restored at the same time. Kaseya has 37,000 VSA customers, none of which have been compromised by the SaaS version of the tool.
“The biggest lesson I’ve learned is trust the process and not take risks,” said Voccola. “A day of downtime – or 36 hours of downtime – is much better than someone who is bought out.”
Voccola declined to comment on whether end customers paid the ransom and was unsure how many end customers were actually ransomed as Kaseya cannot see for itself how many end user organizations are served by a single MSP. While Kaseya has taken out cyber insurance, Voccola said he is currently unsure of the economic impact of the ransomware attack.
“The last thing we think about right now is how much money this will cost us,” said Voccola. “We have to make sure that we take care of these 50 customers.”
A Kaseya MSP hit by the cyber attack, which did not want to be identified, said its customers were still unable to get online after the ransomware attack.
“We’re still facing this ransomware crisis,” he said. “Our customers rely on Kaseya products in their work. So at the moment none of our customers can go online. Kaseya told us last night that they saw customers at 9 a.m. this morning. Now they expect us to be back online at 8 p.m. tonight. We are confident.”
The MSP said the Kaseya attack was another reckoning moment for MSPs grappling with a constant flurry of security attacks.
“MSPs are in the public eye and paying attention,” he said. “We are the protectors of our customers’ data – the holders of the keys, and we rely on MSP platform providers like Kaseya to keep us safe. That does not work. As MSPs, we need to do even more to ensure that our customers are not affected by such an attack.
The MSP said the MSP community needs to band together to develop a plan to better protect customer data. “Ransomware and cyberattacks are at a pandemic level,” he said. “It’s never been worse, and it seems to get worse with every day that goes by. Nobody is safe now. “
Overall, the MSP praised Kaseya for doing a good job being transparent and communicating about the steps being taken to bring MSPs and their customers back online.
“Kaseya did everything right,” he said. “We are waiting for a full report once this is clarified. We are really lucky that this happened on the weekend of July 4th when many of our customers were not working. If this had been a regular working week, it would have been a much bigger disaster. “
Steven Burke contributed to this report.
#Kaseya #cyber #attack #customers #ransomed #MSPs #spared