Security News

Kaseya VSA Down Until Sunday; CEO Fred Voccola Apologizes To MSPs

Mark Haranas, Michael Novinson

‘The fact that we had to take down VSA is very disappointing to me personally. I feel like I let this community down, I let my company down, [and] our company let you down,’ says CEO Fred Voccola.

Kaseya CEO Fred Voccola apologized to MSPs overnight and told them both the SaaS and on-premise versions of the VSA tool will remain inaccessible until Sunday.

“The fact that we had to take down VSA is very disappointing to me personally,” Voccola said in a emotional video posted to Kaseya’s website at 2:45 a.m. ET Thursday. “I feel like I let this community down, I let my company down, [and] our company let you down. And that is not going away.”

Kaseya decided to not restore access to VSA SaaS late Tuesday as planned after third-party engineers and consultants as well as internal IT employees suggested putting additional layers of protection into VSA to defend against issues the company might not be able to foresee. Kaseya said the flaws exploited during Friday’s cyberattack have already been fixed, and the delay is to address other potential issues.

[Related: Kaseya Was Warned In April Of Vulnerability Exploited By REvil Gang]

“It’s my decision to do this,” Voccola said in the message, which was emailed to customers Wednesday. “It was my decision, and no one else’s decision, to pull the release from yesterday [Tuesday] that we had committed … This was probably the hardest decision that I’ve had to make in my career, and we decided to pull it … to make sure that it is hardened as much as we feel we can do for our customers.”

Voccola said he’s “extremely confident” that the more than 36,000 MSPs using the cloud or on-premise version of the company’s VSA remote monitoring and management (RMM) tool will be coming back online by 4 p.m. ET Sunday. REvil exploited a flaw in Kaseya’s on-premise VSA tool to compromise nearly 60 MSPs and encrypt the data and demand ransom payments from up to 1,500 of their end user clients.

A Kaseya spokesperson told CRN Wednesday afternoon that agency and private groups testing VSA SaaS recommended the company take additional steps before making the product available online again. The on-premise version of VSA, meanwhile, subjected the patch for the vulnerability that REvil exploited to both internal quality assurance efforts as well as multiple independent third-party penetration tests.

“No one at Kaseya wanted this to happen,” Voccola said in a nearly 10-minute video message. “None of you wanted this to happen. We love our customers, and it pisses me off when we do things to hurt them. Especially when it‘s something like this, where we fallen victim to criminal acts, and it’s impacting everything.”

Voccola said that Kaseya will provide direct financial assistance to the MSPs who have been crippled by the REvil cyberattack. The New York and Miami-based IT service management vendor also plans to leverage its professional services team as well as third-party consultants to provide licenses, delays of payment, and other accommodations to address the needs of MSPs who have been down for days.

“Throwing money at problems does not always solve them. We get it,” Voccola said. “It’s better than not throwing money at them, but it doesn’t solve it.”

As far as the Kaseya VSA restoration timeline is concerned, which has been delayed more than a week already, the CEO of one Kaseya MSP customer is “over it.” “We’re past caring about the timeline delays now. We just want to make sure it’s done right,” said the CEO, who declined to be named.

“When I saw his video this morning and I was like, ‘Oh my god’. You feel for him. You can see the pain and suffering that he’s gone through,” said the CEO. “It was like he was sitting in the war room, which he probably was, with just a camera to put this video together. It looks like he had his sleeves rolled up and is getting everything together.”

The CEO said Kaseya provided his MSP with a detailed runbook of what MSPs need to do to prepare clients for the relaunch of VSA this Sunday. “The runbook is a detailed recipe of what to do with pictures, security documents, and things we should be doing. They put a lot of thought to it,” he said. “I rather make sure we do this right because the worst thing that could happen is that this goes out, then goes down again.”

To his surprise, Kaseya is also handing off many security tasks to MSPs to handle before their end users can restart Kaseya.

“So I’m assuming Kaseya is going to give me [VSA] back the way I left it, right? But what they’ve done for their security checkpoint is they’ve giving us a whole bunch of things to check. They’re basically saying, ‘Don’t take our word for it. We want you to go through these security things, which isn’t a lot, to make sure that everything is the way it should be.’ So we have a couple of things to check,” said the CEO. “Also what they did is, when we get back our software, all of the services are turned-off. So they want us to go out there and turn-on some of the clients and test ourselves to be sure.”

The CEO said he’s actually in favor of Kaseya asking MSPs to handle several key tasks themselves to make sure VSA is up and running smoothly because, “we are Kaseya clients, but our clients are our clients.”

“I actually really like this approach because now we get to double check some things. Then we get to turn on a few of our clients to make sure that everything syncs and words correctly. Versus, it gets back on, something goes wrong, and now we have tons of people with issues,” he said. “It’s a very cautious way of doing it and it puts some of the onus on us because they’re truly our clients. I appreciate the cautiousness and I like the idea of giving us a security book to actually check what they’ve done before we unleash it.”

Sponsored Post