The official YouTube channel of Kaseya, the latest organization attacked by no less than the criminals behind REvil ransomware, released a video of Fred Voccola, Kaseya's CEO, giving a first-hand account of what happened during the attack, the facts on affected customers, and the next steps they're taking to get clients back up and running as quickly as possible.
On Friday afternoon, the 2nd of June, Kaseya started receiving reports of "suspicious things happening," Voccola said in the video.
"We weren't quite sure exactly what it was, but as third parties, the community, our own monitoring customers, we started noticing some strange behaviors," Voccola recounted in the video. "Within an hour, we immediately shut down VSA."
The service shut down has painfully disrupted all their VSA users, but it was an easy decision to make and not without basis, Voccola said. "Our cybersecurity playbook states very clearly [that] the first thing to do is to protect and make sure anything that's potentially dangerous doesn't have a chance to harm multiple parties," Voccola said.
Voccola said that, in part due to the modular nature of Kaseya's security architecture, the company's rapid response team—with extensive support from Homeland Security, the FBI, and the White House—managed to contain the breach to one module of IT Complete, Kaseya's remote monitoring and management (RMM) module. The attack affected just one module of IT Complete out of the 27 modules.
That module includes approximately 50 of its approximately 37,000 customers, Voccola said. Kaseya's customers are primarily managed service providers (MSPs), who outsource IT services to approximately 800,000 to a 1,000,000 SMBs around the world. Kaseya believes that those SMBs directly affected by the REvil ransomware attack are between 800 to 1,500 in number.
As for what Kaseya is doing now to get the affected RMM module back up and running, Voccola gave the "incredibly conservative" timeline of "in the coming hours" today, the 6th of July. (Update: as of 8:45 am on July 7, that update still has not taken place.)
If you're a Kaseya client, you can get first-hand updates on the VSA incident here.
Voccola also directly addressed the 50 customers who were breached: "We hope this message does not sound like we're diminishing it by saying less than 0.01 percent of our customers were breached... We are here to help."
Kaseya's CEO also imparted some advice for other organizations.
"When something happens, it's how prepared the organization was, how quickly the organization is to admit something happened," Voccola said. "Seek help from people and try to get focus on the customers and get information out there."