Kaseya Ransomware Attack Has Led To A Windfall For ThreatLocker: CEO Danny Jenkins
ThreatLocker co-founder and CEO Danny Jenkins says his company experienced record sales growth in July in the wake of the Kaseya ransomware attack and is adding 60,000 new seats a month to its application whitelisting solution.
Kaseya Showed The ‘Value’ Of ThreatLocker
When the Kaseya ransomware attack hit MSPs in July, ThreatLocker experienced a record four-fold increase in sales for the month, said ThreatLocker co-founder and CEO Danny Jenkins.
“We are typically demoing in any given week to about 100 MSPs, but we are demoing to over 1,000 MSPs at the moment,” said Jenkins. “It’s continuing to gain momentum. Kaseya showed the value [of ThreatLocker] and it helped us to deliver to it.”
The Kaseya ransomware attack, which is widely considered the biggest ransomware attack ever, resulted in an estimated 60 MSPs and 1,500 end-user organizations with their data locked up by the REvil cybercriminals. Ultimately, the 10-day Kaseya VSA outage impacted 36,000 Kaseya MSP customers with REvil demanding the largest ransom of all time at $70 million.
The attack also marked an epochal moment for ThreatLocker, which has implemented long-valued whitelisting technology used in the enterprise and brought it to MSPs as a game-changing ransomware blocker.
“We’re adding 60,000 seats a week,” said Jenkins. “We ordered 100 new servers last week. We are racking servers like you wouldn’t believe. We process billions of rows of data every hour.”
Whitelisting effectively turns the tables on the bad guys by blocking everything unless it has explicitly been allowed by an MSP or IT administrator.
ThreatLocker—which now has over 2,000 partners—is adding 50 MSPs per week to its customer base, said Jenkins.
How effective is ThreatLocker at stopping ransomware like the recent Kaseya attack?
ThreatLocker stops it dead. Kaseya had a vulnerability. People got into Kaseya because of that vulnerability. If the MSPs had whitelisted, the bad guys would have gotten into Kaseya but they wouldn’t have been able to push out the ransomware. It is very, very effective at stopping ransomware.
What specifically did you see in terms of bad guys pushing out ransomware the weekend of the Kaseya attack?
We saw 45 cases over the weekend of the Kaseya attack. … We typically see about 10 cases a week of someone getting into an RMM [remote monitoring and management] and trying to push ransomware to our clients, and we are stopping it.
How vulnerable are these MSP platforms to ransomware?
There are vulnerabilities in software and any MSP platform is subject to that. You have seen them throughout every single platform at this point. The problem is when they have these vulnerabilities they then get exploited and used against them.
What is the clarion call to MSPs?
You are sitting ducks. You need these MSP tools because you can’t do anything without them. The other thing is it is not only vulnerabilities. It is MSPs’ bad practices as well. I have a friend of mine in the U.K. I’ve known this guy for 15 years. He said to me, ‘I have got all these tools. You’ll never get into my system.’ So I made a bet with him that I could get into his system. Within 24 hours I had a remote access tool on his computer. I had his RMM password.
The problem is you have this super tool—the RMM. So the RMM can be breached. But the people that manage the RMM can also be breached. That might give them access to the RMM. So you have this super tool. You are basically walking around with an AR-16 without the safety on.
What is the call to action then for MSPs?
There has got to be a check and balance. You can’t have an AR-16 without safety.
The call to action is don’t leave you’re applications uncontrolled. Run ThreatLocker. Run whitelisting. Run ringfencing. Control what these platforms can do. It doesn’t matter whether it is Kaseya or SolarWinds or Angry Birds, some of this stuff is going to eat your lunch one day and it is going to chew you up.
How vulnerable are MSP platforms to ransomware at this point?
Incredibly vulnerable. If not because of possible vulnerabilities, but because they are accessed by people. They are open to access. Therefore, if someone gets into them they could use those powerful tools.
Is there any slowdown in ransomware for MSPs?
It is getting higher and higher and higher every week. As a security person and CEO of the company, I can tell you our stuff is locked down tight everywhere you can imagine, but it scares the crap out of me. I see all these systems and it’s not just whether they have ThreatLocker on their endpoint. I see MSPs that don’t lock down their service to the internet. They don’t put basic controls in place. I see it all the time. You can’t run your business like that.
How much at risk are MSPs?
They are incredibly at risk.
How many more ransomware breaches are we going to see through MSP platforms over next 18 months?
We are going to see lots more. One question is how many more vulnerabilities are we going to see? We typically see a vulnerability on an MSP platform once a year. The ones that bite people are not necessarily the platform itself, it is the screen-control-type software. These vulnerabilities are the big cracks. But it is not just the vulnerabilities, it is people stealing API keys. It is brute force attacks. It is password stuffing. It is phishing on your engineers. The bigger you are as an MSP the more this happens.
I did a lot of ethical hacking. If I want to get into a company and there are two people who work there, it is very hard for me to get into that company. But if there’s 50 people that work there, one of those people is going to open something and then I’m going to get access to their machine. That’s the problem with many of these MSPs. They have got so many employees with no check and balance on them.
What are some of the characteristics of the MSP model that are driving these attacks?
The problem is they have grown really fast. They have grown in an environment where they really are just IT support and now they are having to be an MSP, and they are having to add security in. Some of them are struggling with a political change because they have to face their clients and say ‘I’m the doctor. Take the damn pills.’
A lot of them are scared about that. I have seen so many MSPs go through this transition where they go to their clients and say, ‘No, you are doing this. This is what we are pushing on you.’
It’s a transition that in most cases MSPs are struggling to make because of their own emotional state—not because of their clients.
You have to understand that most clients just want to protect their business. If you go to them and give them a compelling reason of why they need to protect their business, they are going to do it.
What is your response to partners concerned about the time it takes to move to a whitelisting solution like ThreatLocker?
The concern people have at first is how much work is it going to give me because now I have to permit things. The reality is if you are supporting 2,000 endpoints you are probably spending two hours a month managing that [with ThreatLocker].
What we find is that two hours is offset by so much more on the other end. Not only are you blocking ransomware but you are also saving [yourself] from shadow IT. You are also saving from unpatched software. Every time someone installs software that is now unpatched, they can do whatever they want with it.
How fast is ThreatLocker growing at this point?
We grew five-fold this year. With the Kaseya event in July we made four times more revenue than we made in any other month.
We literally had and still have our SEs [system engineers] working 12 hours days, some of them working six or seven days a week. We have support doing demos.
We are typically demoing in any given week to about 100 MSPs, but we are demoing to over 1,000 MSPs at the moment.
It’s continuing to gain momentum. Kaseya showed the value [of ThreatLocker] and it helped us to deliver to it.
The Colonial Pipeline [ransomware attack] also showed the value. We have quite a number of large enterprise customers.
So your best month ever was when Kaseya got hit?
Yes. We had a huge month in July, but most of our [prospective] customers are on a 60-day close cycle. So the boost we got in July was some quick closes. But also some existing customers who were just compliance customers and then decided to deploy us across their full stack now. That was huge,
We are adding 60,000 seats a week at this point. We ordered 100 new servers last week. We process billions of rows of data every hour.
How does it feel?
I don’t get time to think about it. I am too busy not sleeping. We just broke 100 employees. We just added nine new employees and we have got 17 ready to join in the next two weeks. We are adding about 50 MSPs a week.
How big a change have you seen in the view of the market on whitelisting and ThreatLocker?
Five years ago, every investor I talked to literally slammed the door in my face and said, ‘You have got the dumbest idea ever.’
I have literally gotten emails like that from investors, and those same investors are coming back now saying they are desperate to get in on this.
I have still got the same emails from them that say, ‘Whitelisting is dumb. It is a stupid idea. Why don’t you pivot and create an EDR [endpoint detection and response]?
It’s nice to see it pivot to people desperately trying to invest versus people ignoring you.
People were telling us this wouldn’t work back then. We still have pushback from MSPs but it is getting less and less as more partners sign up. More partners are talking about us. We have over 2,000 partners.