Kaseya Ransomware Victim Speaks Out: From ‘The Abyss’ To Recovery With Aid From MSP Community

Robert Cioffi, co-founder of Progressive Computing, recounts how most client endpoints were restored in 17 days thanks to volunteer help from other MSPs after cybercriminals ransomed all 80 of the company’s clients during the July 2021 attack.

ARTICLE TITLE HERE

For 10 minutes, Robert Cioffi was completely frozen.

Cioffi’s company, Progressive Computing, was far from the only MSP impacted in connection with the July 2021 ransomware attack against Kaseya, the maker of a remote monitoring and management tool used by the company and many other MSPs. But the Yonkers, N.Y.-based MSP was among the most thoroughly devastated: Every one of the MSP’s 80 clients were encrypted and held for a ransom by Eastern European cybercriminals during the attack.

As Cioffi tried to figure out what to do, one icon after another on his PC began turning white. His own machine was now encrypted, too.

id
unit-1659132512259
type
Sponsored post

And so for about 10 minutes, Cioffi couldn’t make a decision. He couldn’t do anything at all.

Suffocating, drowning—or both at the same time—is what it felt like in those moments, Cioffi recalled Tuesday. He shared the account during a keynote at XChange Security 2023 in Dallas, which is being hosted this week by CRN parent The Channel Company.

As he sat in front of his now-encrypted PC, Cioffi thought of his company’s valuation and the potential impact on his employees. He thought of his family and about things like if he could afford to continue paying his daughter’s college tuition. He thought of his exit strategy for the company and whether he even still had one, despite having put nearly three decades into the business that he co-founded in 1993.

“I was staring into the abyss,” Cioffi said.

Finally, another thought entered his mind: How do we undo this?

Cioffi gathered everyone in the company into a conference room, or had them dial in, and delivered a simple message: “We were, together as a team, going to undo this mess,” he said.

“Quite frankly, I really didn’t understand how,” Cioffi said. “But I knew that together, we were going to get it done.”

As it turned out, “together” included a lot more than the staff of Progressive Computing alone.

A friend from an MSP peer group was the first to send help in the form of six technicians who flew in from around the U.S. Others followed, with a total of 27 organizations helping out for free, comprising more than 50 people in total, Cioffi told CRN in an interview.

Within 17 calendar days of the Kaseya ransomware attack, 95 percent of the 2,500 endpoints that Progressive Computing was responsible for—including all 250 servers—were recovered, according to Cioffi.

The company survived. And while it lost 15 percent of its top-line revenue, that has been regained at this point, Cioffi told CRN.

“We’re definitely back to where we were, and climbing back over that,” he said in the interview.

‘Hard To Hear’

For every MSP executive who listened to Cioffi’s remarks Tuesday, “we have these fears,” said Reagan Roney, a principal and head of managed services business development at Solvere One IT.

In today’s intense cyberthreat environment, there’s a “lot of pressure” put on MSPs and MSSPs, Roney told CRN.

“We’re supposed to have it all—so that we’re 100 percent secure, that we 100 percent know what we’re doing,” Roney said. “But the reality is, we don’t. We know a lot. We’re doing everything we can, but we can’t control everything. But our clients expect it.”

As a result, “to hear the horror story that he went through, how he felt personally, how it affected his family, his state of mind, the business—that was really hard to hear,” he said. “There was no doubt that every one of us who was listening to him wanted to just give him a big hug, and tell him, ‘Thank you for sharing your story.’”

Tanaz Choudhury, president of TanChes Global Management, said she was also moved by hearing Cioffi’s account. She agreed that this type of incident “could literally happen to anybody in that room.”

“The question is, what are we going to do to mitigate that risk? And then what is the immediate response plan God forbid you should get hit?” Choudhury told CRN.

MSPs should strive to go beyond simply having a typical incident response plan to assessing what sort of impact that plan might have on each customer, she said. For instance, each customer might be affected differently based on a variety of factors, and understanding in advance how things might play out can be crucial, Choudhury said.

“It’s really important that you have a response plan, but you have to know the impact of that response plan that you are invoking,” she said. “Because without that, you’re just throwing it at the wall and seeing what sticks.”

‘The Missing Element’

For Cioffi, the experience of the July 2021 attack has led him to conclude that the community itself is the answer to the immensity of the cyberthreats MSPs face every day.

To that end, Cioffi said he’s been helping put together an initiative that will offer free coaching to MSPs who’ve experienced a cyber incident by volunteers like himself who have gone through something like that before. Down the road, Cioffi hopes to expand the initiative to include an ability to dispatch volunteer technical experts to help respond to major attacks against MSPs.

The concept raises liability questions, Cioffi told CRN, but “we’re working those things out. We’re all very confident that we can figure this out.”

Ultimately, Cioffi said during the keynote session Tuesday, the “missing element” in MSP cybersecurity stacks today can be summarized in one word: community.

“It’s the only way that I think we can really fight cybercriminals,” he said. “If we link arms together, there’s a way for us to defeat [our] enemies.”