Huntress CEO Kyle Hanslovan To MSPs On Kaseya Ransomware Attack: ‘Get It Together Or Go Out Of Business’

Kyle Hanslovan, the co-founder and CEO of Huntress, the threat detection provider that has played a key role in alerting MSPs to the REvil ransomware attack on Kaseya, says the time has come for MSP vendors and MSPs to ‘get it together or go out of business.’

‘Left Unchecked, The Worst Is Yet To Come’

Even as MSP platform provider Kaseya grapples with the largest ransomware attack in history, Huntress CEO Kyle Hanslovan says that “left unchecked, the worst is yet to come.”

In fact, Hanslovan (pictured), who has become a high-profile advocate for better security policies and procedures in the MSP community, said he expects to see more of the REvil ransomware that has impacted 50 MSPs and more than 1,000 customers.

“I think we are going to see this even more in the future,” said Hanslovan, whose 100-member team has been working around the clock since Friday afternoon helping MSPs and customers impacted by the Kaseya attack. “It is REvil today. But there are a dozen other ransomware as a service groups that will copy this.”

Huntress called Kaseya within 30 minutes of the REvil attack on Friday afternoon to help counter the cybercriminal organization. At that time Kaseya shut down their VSA servers. “Imagine if instead of it being 30 MSPs it was 17,000 MSPs,” said Hanslovan. “That is what I am talking about. Left unchecked, the worst is yet to come.”

REvil is “dangerously efficient,” said Hanslovan, noting the attackers targeted MSPs to lock up the data of thousands of customers in one fell swoop. “It shows how innovative they are to use the supply chain to maximize their bang for the buck. They are quite business savvy. Why go one computer at a time, one company at a time, when you can do one to many? I think this incident highlights their business savvy.”

Hanslovan, whose company helped connect MSPs that provided much-needed technicians to help those colleagues impacted by the Kaseya attack, pointed out that other MSP vendors including ConnectWise and N-able have also in the past faced highly publicized attacks. “The MSP community needs to hold vendors responsible for better code quality,” he said.

Last but not least, there needs to be more cooperation among the MSP community and vendors to gather threat intelligence, said Hanslovan. “We are pulling that information centrally and pouring it into the FBI’s hands so they can take action,” he said. “We are hoping for more of that community-wide effort of knowledge sharing, transparency and rallying is what is needed.”

What follows is an edited portion of CRN’s interview with Hanslovan.

Did you ever imagine that MSPs would be the gateway to what is now the biggest ransomware attack in history?

I am taking a glass-half-full view of this instead of being a fear mongerer. But this is bad. Let’s not sugar-coat it. This situation is bad, bad for MSPs, bad for customers, bad for business. But where I am going to take this a step further is this situation has finally gotten the attention to start holding us all accountable: holding vendors accountable, holding MSPs accountable, holding government accountable.

I think it is overdue. To be honest the enterprise gets the attention because it is a big deal when somebody like Microsoft Exchange has a vulnerability.

This is the second time in which ransomware with Kaseya alone has been deployed. Ransomware was deployed with several ConnectWise products. So for me, I am glass half full. I am hoping this is the eye-opening event that makes us realize it is time to change. It is time to take security seriously. Security is no longer optional.

You are never secure. You have to earn your secure status every single day. I think that is the reason that Huntress is shining right now. We have had this posture for five-plus years. Everyday, we have to earn our security. It is time for the rest of the community to catch up.

What is the message to the general MSP community on this moment of reckoning?

The thing that needs to be said is: Get it together or go out of business. That extends to MSP vendors as well – not just MSPs.

Has Kaseya not done the best job in terms of security?

Historically, no. They have come a long way with the way that they are handling this. But this is about the whole community. It is really easy to single out Kaseya because it is right there in front of us. But I can list for you a half dozen MSP vendors that this has happened to in the last two years, and it has been the same story.

It is about code quality and not taking quality assurance seriously, not taking bug reports seriously. That is why I said, ‘Get it together or go out of business’ -- that refers to not only MSPs but also for vendors.

Put this MSP ransomware attack into perspective for us. What does it mean?

I am not aware of a ransomware incident larger than this one to date. This is by far the worst ransomware attack ever. Left unchecked, the worst is yet to come.

To be honest the Microsoft Exchange vulnerability we saw [in March] was only used to create backdoors. That was a worse event than this with more businesses total compromised. But they didn’t use it for ransomware. There are other avenues that could have made this worse.

We called Kaseya within 30 minutes of this happening and they proactively shut down all of their servers. Imagine if instead of it being 30 MSPs, it was 17,000 MSPs. That is what I am talking about. Left unchecked, the worst is yet to come.

What does it say that the worst ransomware attack on record came as an attack against MSPs?

REvil is dangerously efficient. They run their company as a business. It shows how innovative they are to use the supply chain to maximize their bang for the buck. They are quite business savvy. Why go one computer at a time, one company at a time, when you can do one to many? I think this incident highlights their business savvy.

Do you expect REvil to continue to target MSPs to get to end users?

I think we are going to see this even more in the future. It is REvil today. But there are a dozen other ransomware-as-a-service groups that will copy this.

What specific ransomware activity has resulted from this REvil attack?

Some MSPs are being extorted. There are three tiers of ransom that are happening right now. Very small businesses are getting usually a $50,000 ransom. Very large organizations, including some of our larger MSPs, have a $5 million ransom. And you have probably seen the threat actors have communicated that they will release a decryptor for all MSPs and all clients for $50 million. It was $70 million. It is now $50 million.

What do MSPs and the MSP community need to do stop this barrage of ransomware attacks?

Obviously, we are recovering. This isn’t going to be the end of this. The MSP community is a supply chain. This was a supply chain attack. This was not the first time. This will not be the last time. But there is a handful of things we can do.

First, we need restrictions and higher expectations of our vendors – Huntress included. We as a community are not taking good enough care of our source code. ConnectWise has had [source code attacks]. Kaseya has had a couple. SolarWinds had one not just with Orion but also with the N-able product. We need bigger expectations. The MSP community needs to hold vendors responsible for better code quality.

No. 2, we need better cooperation. Right now, Huntress is leading this effort, but it is a whole community effort to gather the threat intelligence. We are pulling that information centrally and pouring it into the FBI’s hands so they can take action. We are hoping for more of that community-wide effort of knowledge sharing, transparency and rallying is what is needed.

So vendors need to do their part with better code and better audits to make sure this can not happen so easily.

When this does happen, the key is, ‘How do we collaborate. Did you see all of the MSPs rallying to help each other?’ We have had over 70 MSPs offered their time and effort to help these other MSPs that don’t have surge capacity.

Think about it if you have 50 clients and you are compromised, but you only have a staff of 20. You can handle one or two clients that are encrypted, but you can’t handle all 70 or all 50 clients getting encrypted. So these MSPs in the peer groups have offered to fly out and help the MSPs impacted get up and running. This has been on an international scale. We have connected MSPs in New Zealand, the European Union, the U.S. and Canada with each other. Our message to those MSPs impacted was I know you are having the worst day of your life but there are other MSPs that want to help you recover.

Vendors have to be accountable and the community needs to rally together when this happens. We are a community and we must rally together to show our strength. Otherwise the MSP community is going to lose trust. And companies - mid size businesses and below - aren’t going to look to us for help with managed services.

Is there a risk that small and mid-size businesses could lose confidence in the MSP community?

That risk has been there since 2019. I can tell you businesses as a whole ask Huntress: ‘Can you tell me the difference between a good MSP and a bad MSP?’ Small and midsize businesses are already questioning MSPs. This is only going to further that.

Do you think there needs to be regulation of MSPs?

I do think regulation could help standardize across multiple states what is expected of MSPs. Imagine if you are a regional or a national player and you have 50 different states with 50 different regulations. That would be a nightmare.

I don’t know many folks in business that are excited about additional regulation. I would love to see it be self-regulated by MSPs instead of federally regulated.

But I am skeptical. Since 2019 these kinds of attacks have been normal. Everybody is making a big deal of this, but this happened four or five other times - just not to this scale. It already happened once with Kaseya where ransomware was deployed and the hackers targeted MSP customers.

The federal government has been working with MSPs to better secure them and give them better guidance.

You are doing a live webinar for MSPs titled ‘Recovering From a Mass Ransomware Incident’ Tuesday at 1 pm EST. What are you going to be telling MSPs?

It is going to be two-fold: first we will catch MSPs up on what has happened here. There are a lot of details. Our team has not slept since Friday at noon.

We have a team of about 100 people and it has been an around the clock, all-hands effort. So there is going to be a lot of insider scoop showing MSPs what happened - making sure we are transparent about what happened.

The second part is a community war-cry and rally. If we want to be taken seriously as MSPs and you want to be part of a community, cooperation has got to happen. Competitors have got to step up and bridge the gaps with each other whether that is vulnerability discussions or talking about how we can better communicate.

The reason Huntress is out in front of this is because internally we have it together. But the vendor-to-vendor communication could be better. There could be something for instance that could be done with CompTIA’s Security Analysis Organization that is supposed to be used for sharing threat intelligence. It didn’t really have a role in this. There should be a bigger MSP information sharing group that keeps all MSPs accountable. Finance has it. The electrical grid has it. The state government has an information sharing group. It is time for an MSP information sharing group that takes action and can cooperate.

Again, the first half of the seminar will be to catch MSPs on what happened, and the second half will be rallying war cry of we are going to bond together or we are going to fall apart.

What is your call to action for the 50 Kaseya MSPs that were hit directly by this attack?

The call to action at the end of the day is take control of your business. The amount of companies that are waiting for Kaseya to pay for the decryptor or waiting for an all clear is not acceptable. Your (legal) counsel and you have to take control of your business. It is not Kaseya’s business. It is yours. What is killing me is even though I agree they need to leave their servers offline and wait for the patches are there. But you can’t wait to restore your clients. There is some extra liability that people might take with the approach that I have shared. That is why I said make this decision with your customers.

We are aware of over 30 MSPs that have been impacted. My gut feeling is the number will be in the low 50s to 60s of total MSPs that shakes out by the end of this. We have already confirmed over 30.

We stopped counting at over 1,000 businesses impacted by this. On average, MSPs have about 30 customers. We do believe that it is going to be in the low thousands of businesses impacted by this. Probably under 10,000 businesses would be my educated guess at this point.

Let’s call it 2,000 businesses that are encrypted right now. That is 2,000 businesses that need their MSPs to restore confidence, that need their MSPs to get them back up and running. Because at least in the U.S., tomorrow begins the work week and they are going to need functional networks. It is just really killing me to see people wait.

How has Kaseya done with regard to communication on the attack?

I am glad with the communication that Kaseya has been giving. Huntress has worked with Kaseya on two past events. One was a ransomware exploit that attacked a plug in in VSA. The other one was another exploit in VSA that deployed cryptocoin mining.

Kaseya has been way more transparent and collaborative on this one. However, I wish they would communicate better with their customers. I wish they could communicate better with the partners.

People really are waiting for Kaseya to give them the all clear. I just don’t believe it is going to happen. Why is Kaseya the authority on when you decide to restore your customers? Obviously they have inside scoop. But you have got to take control of your business.

There is an old ProPublica article written by Renee Dudley that labels MSPs as ransomware enablers because of this exact same issue. If we thought that was bad in 2019 wait until you see what happens from this. This is everywhere. Every article especially with the political angle here is talking about MSPs being the supply chain vulnerability.

How many MSPs are sitting there waiting for the all clear?

Kaseya has 17,000 MSPs and they have told everyone to shut off the VSA. I would assume that 16,950 of them are waiting for them to turn this on for the all clear.

I am not suggesting MSPs turn on their servers. I am suggesting that those impacted start the recovery. That means there is over 16,000 MSPs waiting to know if they can start business.

What stinks is that anybody outside the U.S. started doing business today.

You have tracked the MSPs that have been impacted around the globe. What regions have been hardest hit?

We have seen partners hit in the U.S., European Union, Australia/New Zeland and Latin America. In those four regions we have seen at least one MSP. We haven’t seen any in APAC (Asia Pacific/Japan).

What is key for MSPs that are still grappling with this Kaseya MSP ransomware attack?

Don’t underestimate the importance of working with Kaseya’s attorney. They are going to need to not take that risk. But at the end of the day these are their businesses.

Compromised MSPs should be focusing on client restoration - not themselves.

We are waiting for Kaseya’s all clear for those that have been compromised. Unfortunately, some MSPs are treating that as they have to wait for everybody’s restoration.

What is the message to the rest of the MSP community that has not been impacted here?

For those not impacted by the Kaseya vulnerability but run a remote monitoring tool, now is the time to forewarn your clients how this could absolutely happen to them as well. Then you can be prepared to quickly restore them. Bottom line: MSPs need to prepare their clients and let them know this could happen to you too and we are the type of MSPs that are going to help you quickly restore.

Likewise those MSPs need to be preparing. We even released in 2019 with NinjaRMM (All in One MSP Tool Provider) an absolutely amazing one hour and 45 minute video giving MSPs step by step guidance. What is crazy is that 2019 video on YouTube is just as actionable here in 2021. The reality is not enough people watched it and hardly anybody took action on it.

Are there MSPs that rely on Kaseya for remote management and monitoring waiting for “all clear” from Kaseya rather than working on their own to restore their client’s data from backups?

That is true for some MSPs, but we have seen some MSPs to be honest that have done a great job. I can’t tell you how much of Huntress’ threat intelligence is coming from MSPs.

I think there is a big difference between MSPs that are truly operationally mature and those that aren’t doing this.

How much work has Huntress done here since your team sprung into action on Friday afternoon?

The three things we have been laser-focused on are: how do we detect and respond to this incident--and most importantly, how do we help our MSP clients recover from this incident? Detect, respond and recover is what we have been focused on. Our team has been great. Internally the amount of things our security researchers have discovered that have made a big impact is huge. The amount of intelligence that MSPs provided Huntress that enabled us to educate the whole community was pivotal.

How did the MSP community as a whole respond to this?

There was a rallying of MSPs offering to help those MSPs that were compromised by the ransomware attack. We were the middlemen in that. We connected those that had technicians that could help with those that were compromised and needed those technicians. Our role was important but without the community stepping up and helping each other it would have been rough.

How many MSPs sent technicians to their brethren?

Seventy MSPs volunteered to help. We connected probably about a dozen to help those that were compromised. Capacity was a problem for some MSPs who did not have enough technicians to restore all their clients. We found people that had the extra technicians and connected them with people who needed their help.

How did that feel to help make that happen?

It was super-fulfilling. The MSP community came together. MSPs could have taken a competitive stand and said – ‘Let ’em burn - that is my competitor.’ But instead of kicking them while they were down, they pulled them up. That is awesome!

I think it shows the camaraderie of the MSP community. It shows we are stronger than just individuals. We are a community. That is why Huntress calls our partners - partners. We couldn’t do it without them. They couldn’t do it without us.