Kaseya MSPs: ‘We Want To Get Out Of This Mess’
With Kaseya services still not restored as of Tuesday afternoon following Friday’s massive REvil ransomware attack, MSPs say they are getting “frustrated.”
Kaseya has yet to restore services to its VSA remote monitoring and management software as of Tuesday afternoon as many MSPs are urgently waiting for the company to resolve this weekend’s massive ransomware attack by the REvil ransomware group.
“We want to get out of this mess,” said one top executive from an MSP who partners with Kaseya and who declined to be named. “Luckily, we were one of the cloud customers, not the on-premise customers. But for us, from Friday at around 2 p.m. until now, our Kaseya VSA is still down. … We know the federal government is involved. We know that FireEye is involved. So we’ll reserve final judgement until we see the final report, but we’d like this to be over with today.”
Kaseya CEO Fred Voccola initially said on Friday evening, the same day of the REvil ransomware attack, that his company expected to restore service to its SaaS customers within the next 24 hours. However, that did not occur. Then on Sunday, Kaseya said it planned to restart its SaaS service Monday morning in specific regions, but that didn’t occur as well. The restoration process was then postponed again on Monday following an executive committee meeting.
The MSP executive said he understands that the REvil cyberattack is one of the largest ransomware cases ever, with REvil demanding $70 million in Bitcoin to decrypt the victims, but some “frustration” is setting in for many MSPs.
“We’re definitely frustrated,” he said, adding that none of his customers were directly affected by the Kaseya ransomware attack. “But at the same time, happy that I’m not dealing with ransomware today.”
[Related: 5 Takeaways On Kaseya Cyberattack From CEO Fred Voccola]
“For us, a lot of our clients rely on the remote access portion of the Kaseya VSA. So customers aren’t killing us right now asking a billion questions. We’ve contacted our customers and taken the data and put it out there for them. As customers ask about more things, we’ve put more information in place for them,” said the MSP. “We’re probably going to give our fourth update today once Kaseya issues its next update.”
Many of Kaseya’s customers are MSPs who use Kaseya’s technology to manage IT infrastructure for local and small businesses.
Approximately 50 of Kaseya’s MSP customers using an on-premise version of VSA were directly compromised in Friday’s REvil ransomware attack. Of the 800,000 to 1 million local and small businesses that are managed by Kaseya MSPs, about 800 to 1,500 have been compromised, according to Kaseya.
Kaseya, which has delayed the restoration of its service several times over the past few days, most recently said it planned to bring its SaaS servers back online Tuesday afternoon or Tuesday evening. The patch for the compromised on-premises version of VSA is expected to be available within 24 hours of SaaS service restoration.
“Our global teams are working around the clock to get our customers back up and running,” said CEO Kaseya Fred Voccola in a statement today. “We understand that every second they are shut down, it impacts their livelihood, which is why we’re working feverishly to get this resolved.”
One chief information security officer (CISO) from an MSP that partners with Kaseya said he wouldn’t bet on Kaseya service to be back up and running today. He said with the federal government now involved, Kaseya is making sure everything relaunches smoothly.
“They are taking the approach of: better to be safe than sorry,” said the CISO who declined to be named. “Yes, this is definitely frustrating for us and our [Kaseya] customers – thankfully, none were hit.”
The MSP said he will “patiently wait” until the official report is released on the attack to see what was affected and how Kaseya responded before judging the company’s delays. He said Kaseya has been keeping MSPs updated on the cyberattack, including consistent updates every four to six hours.
“I will tell you, Kaseya did a really good job in keeping us informed. At first, it was a shock to see the cloud shut down, but we’ve been kept up to date all weekend,” said the CISO. “I’m not sure what they could have done faster, but it looks like they would rather be safe than sorry.”
On July 2, Kaseya was alerted to a potential attack by internal and external sources. Within one hour, Kaseya said it immediately shut down access to the VSA software. The attack impacted approximately 50 of the more than 35,000 Kaseya customers being breached, according to the company.
Law enforcement and government cybersecurity agencies — including the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) — were notified and immediately engaged. Soon after the attack, with assistance from the FBI and CISA, the root cause of the attack was identified with REvil demanding $70 million.
REvil’s $70 million ransomware price in the Kaseya cyberattack is the largest-ever ransom demand to become publicly known, surpassing a $50 million ransom demand in March also made by REvil after compromising Taiwanese PC giant Acer.
Last year, REvil wanted $42 million from celebrity law firm Grubman Shire Meiselas & Sacks. Meatpacking giant JBS paid REvil $11 million last month to shield its meat plants from further disruption and limit the potential impact for restaurants, grocery stores and farmers.