5 Takeaways On Kaseya Cyberattack From CEO Fred Voccola
CEO Fred Voccola tells CRN how Kaseya is assisting MSPs compromised in the ransomware attack, what the company must do before restoring access to its VSA tool, and why cryptocurrency poses such an immense danger to society.
The REvil gang has pulled off one of the biggest ransomware heists in years, exploiting a vulnerability in Kaseya’s on-premise VSA remote monitoring and management tool to compromise roughly 50 MSPs and encrypt the data and demand ransom payments from more than 1,000 of their end user customers.
Kaseya CEO Fred Voccola spoke with CRN Saturday afternoon to discuss how Kaseya is assisting impacted MSPs, what the company must do before restoring access to its VSA tool, and why the company decided to terminate access to the SaaS version of its VSA software even though only on-premise customers were compromised.
“We spend tens of millions of dollars in our security organization on R&D, best practices, external pen tests. You name it, we do it,” Voccola told CRN. “The question then becomes, ‘How good are you at preventing it?’ Well, no one is. The bad guys are highly motivated. It’s ’How quickly and effectively can you respond to make sure that you minimize the impact?’”
Here are Voccola’s major takeaways on what the ransomware attack means for Kaseya, its MSPs, and the cybersecurity industry at large.
5. Patch For On-Premises VSA Is Being Tested Before Restoration
We identified the vulnerability, we know how it [the cyberattack] happened, we’ve patched it ... Now we have the independent pen testing on it. We have what’s called double blind testing. You have two separate independent [organizations] doing it, in addition to our own QA [quality assurance] before we turn things back on …
The remediation team is making sure that we’re identified the vulnerability. We’ve actually built the patch now. And now we have the two independent pen testing and validation groups looking at that, in addition to our own QA [quality assurance] side. And then we look to release it [the patch], and then we look to open up the product again …
I think they [SaaS and on-premises VSA] will both probably come online at the same time.
4. Transparency, Collaboration Vital To Keeping Customers Safe
I’ve probably had 100 customers and dozens of people in the industry reaching out and asking, ’How can we help? What do you need? Do you need anything? Hang in there. What can we do?’ Leaning into that and being transparent and saying, ’Look, this has happened to just about everyone. That doesn’t make it okay, but it makes it the way it is.’
We’re better if we get help and ask smart people to help instead of trying to hide it and manipulate it. No one likes seeing their company in The Wall Street Journal and Reuters for a hack. That sucks. But at the same time, I think it’s the best way to take care of our customers. I’ve never experienced anything like this before.
It‘s been reassuring to me, the amount of people that have reached out and said, ‘Hey, we want to help.’ ConnectWise is one of our biggest competitors, right? Jason Magee, the CEO of ConnectWise, he sent me a text. Jason and I go back 20-something years, we’ve known each other a long time. It was, ’How can we help?’ I think he was being genuine. It was cool.
That’s the community we have. I think we all realize that these actors are bad actors, and we’ve all got to gang up on them if we’re going to win this thing. That’s the lesson that this experience has reinforced.
3. Cryptocurrency Means Hackers Aren’t Worried About Getting Caught
There are political hackers, like SolarWinds. The people who hacked SolarWinds, they weren’t interested in ransoming customers for money, they were trying to get high level information out of various governments. And then there are what I call the commercial terrorists. They’re the people that are doing it for money. They’re the modern day Jesse James. They’re thieves.
With the cryptocurrencies that are out there, there’s no recourse for these people. If you hijack someone’s machine and you say, ‘Give me a million bucks in Bitcoin, $1,000 in Bitcoin, there’s no recourse. It’s a problem that I believe the world needs to really look at. It’s not hacking, because criminals are always going to do what they do. It’s the fact that the payment for these bad actors can’t be traced. That’s so scary.
I’ve been saying this for like five years. I’m not a big government guy. I’m not a regulation guy. I’m not talking politics. But this is really concerning, and not just in our space. You have human trafficking, you have money laundering, it’s all crypto stuff. It’s tough. It’s really tough. Until that gets fixed, it’s gonna keep happening because there’s the unlimited incentive of, ‘If I do it, I can’t get caught.’ And that’s scary.
We all need to wake up and realize that we’ve created a way for criminals - not just cybercriminals - kidnappers, human traffickers, narcotics people, money laundering - we’ve created a market for them to be paid for it ... This has opened my eyes. People smarter than me who deal with public policy really need to look at this, because it’s horrifying. It’s scary. The numbers are just crazy.
2. Kaseya’s Giving MSPs, End Users Legal And Technical Help
We are helping. Most of the customers of our MSPs - and our MSPs - are not huge companies. They’re not like IBM or Tata. We have a big legal department, we have a lot of external legal resources that are experts in this stuff, we have backup and recovery experts that help. There’s a lot of things that we’re doing for them.
The technical teams are working with them [impacted MSPs] around the clock. We’re helping them from a legal perspective. We’re helping them deal with with the authorities, whether it’s federal or state. We’re helping them navigate with their insurance providers.
We have a lot of resources as a company, and a lot of our customers don’t. A lot of times, they need to talk to a lawyer. They need someone to review their logs. Anything that we can do to help, [we will] … Our technical response teams have been able to assist and provide value.
6: 1. Shutting Down VSA Tool Helped Minimize The Bleeding
We found there was something funny going on. We didn’t know if it was a breach or hack or whatever, but something funny was going on. Our playbook says, ’If you don’t know what’s happening, don’t allow people to access the capability.’ So we put our SaaS servers on maintenance ... We’re not sure what’s up exactly, but something’s fishy. It might be a minute, and it might not be a minute. We don’t know.
That turned out to be the best decision that we could make. It’s not an easy decision to tell 37,000 customers, ’Hey man, we’re turning you off,’ without having direct evidence of an imminent threat, or something horrifically bad. I’m very grateful that the people who build these processes and make these decisions at Kaseya are as conservative as they are…
The decision wasn’t anyone’s. It’s what our policy is. The experts who wrote our playbook, it was their decision. Like anything else, there was a person [at Kaseya] who had to execute that directive ... This is what they were supposed to do, but they had the courage to go ahead and do it.