Kaseya’s CEO Response to Its Current Ransomware Attack

As many are aware, Kaseya’s Virtual System Administrator (VSA) was the target of a ransomware attack over the Independence Day weekend. Two days ago, on July 6, 2021, Kaseya’s CEO, Fred Voccola, posted a video on YouTube that summarized Kaseya’s response to this attack. This blog entry contains a summary of his comments from that video. You may access the full video available through this link.

Warning Bells Go Off

On Friday, July 2, 2021, at 2:00 pm EST, Kaseya first began to receive reports of suspicious activity. Kaseya’s internal playbook dictated that it protects clients by shutting down anything potentially dangerous so it cannot harm multiple parties. This required Kaseya to shut down the VSA module. It took this action by 3:00 pm EST. Voccola acknowledged that taking this step was very painful for its customers.
Kaseya engaged Homeland Security and the FBI, along with the White House, immediately.

The Impact

IT Complete, the Kaseya platform, has 27 modules. Voccola reports that Kaseya kept this breach to only one module, VSA. Only about 50 of Kaseya’s 37,000 customers were affected. Voccola believes the modular nature of Kaseya’s security architecture prevented the attack from spreading to any modules other than VSA.
Many Kaseya customers are Managed Service Providers (MSPs). They, in turn, provide outsourced IT services for small and mid-sized businesses (SMBs). These MSPs manage 800,000 – 1 million SMBs. Kaseya estimates 800 – 1,500 of these customers were affected.
Kaseya has heard from at least 50 industry-leading CEOs of large companies, to include its competitors, offering help. They have all said, “It is a matter of when, not if, you are impacted by ransomware. Now it is just Kaseya’s turn.
Voccola advised organizations that this will happen to them. A proper response requires:

  • Preparation
  • Quickly admitting something happened
  • Not trying to hide it
  • Seek help from people
  • Try to get focused on the customers
  • Get information out there

Kaseya is attempting to perform these tasks to the best of its abilities.

Kaseya’s Response

Within two hours, Kaseya identified the specific vulnerability. Voccola reports Kaseya has created a fix, tested it, and worked with its partners to ensure the fix is secure. It is currently working on deployment strategies to get the fix out.
The 50 or so customers who have been impacted represent less than .01% of its customers. Kaseya has reached out to all of them.
Voccola regretted that this is the way the world is today. Even the best software companies in the world now get breached, with Microsoft, Solarwinds, and Juniper Networks having previously experienced breaches.
There are bad people out there who can make a lot of money by getting paid in anonymous currencies. These ransom payments are nearly impossible to trace by authorities.
Kaseya has taken down all its RMM modules and its customers offline out of an abundance of caution.
This breach generated an incredible amount of scrutiny from the press. Cyber crime and ransomware have become the topic of the day, with Kaseya being caught in the middle. Voccola believes the press have made the story and the impact larger than what it is.
Voccola says the customers that were breached have every right to feel like this is a big deal. Kaseya is recommitting itself to every possible consideration that is there. However, he believes Kaseya’s security plan and the architecture of how it runs IT Complete prevented an impact that could have been much greater.

What is Coming

Kaseya is working to bring VSA online both on-premises and in the SaaS environment. Kaseya has several hundred people dedicated to that effort.
I have excerpted and summarized the comments in this blog article from the video referenced in the opening paragraph. I encourage you to view the video in its entirety so you may draw your own conclusions.

Keep Up to Date with DCIG

To be notified of new DCIG articles, reports, and webinars, sign up for DCIG’s free weekly Newsletter.
Technology providers interested in licensing DCIG content or having DCIG produce custom reports, please contact DCIG for more information.

Click Here to Signup for the DCIG Newsletter!

Categories

DCIG Newsletter Signup

Thank you for your interest in DCIG research and analysis.

Please sign up for the free DCIG Newsletter to have new analysis delivered to your inbox each week.