Kaseya Postpones Bringing ITSM Platforms Back Up
Kaseya has decided to postpone bringing its IT service management (ITSM) platform back online after a ransomware attack until Sunday afternoon July 11, 2021, Eastern Standard Time.
Previously, the company had committed to bringing both the software-as-a-service (SaaS) platform and the on-premises edition of its platform back online earlier this week. However, on the advice of security consultants, the company decided to postpone bringing the SaaS platform online to add additional layers of security they recommended, said Kaseya CEO Fred Voccola during a video message shared with customers.
Kaseya has said that approximately 60 of its customers running the on-premises edition of the Kaseya Virtual Systems Administrator (VSA) platform were impacted by a ransomware attack launched by cybercriminals affiliated with REvil. Those cybercriminals have reportedly asked for $60 million for the keys required to decrypt those instances of VSA.
The larger issue is that many of Kaseya’s customers are managed service providers (MSPs) that manage IT environments on behalf of other organizations. It’s currently estimated there are 150 organizations, in total, that have been impacted directly by the breach. However, there are now thousands of other organizations that either directly or indirectly rely on the Kaseya ITSM platform to manage their IT environments. Assuming Kaseya meets its Sunday, July 11, 2021 at 4:00 PM EST timeline, those organizations will not have had access to the Kaseya platform for more than a week.
“That’s a long, long time to be down,” said Voccola. “Our company let you down.”
Kaseya is promising to reveal more details on both the attack next week as well as what parts of its platform have been updated as a result. Right now, authorities are advising the company not to disclose those details while they continue to hunt for the perpetrators, said Voccola.
The company is also pledging to set aside millions of dollars to help MSPs recover from the financial harm they are currently experiencing. Many MSPs have terms of service agreements with end customers that many are currently unable to honor. Some portion of those customers may already be looking for an alternative ITSM provider.
It’s not clear to what degree Kaseya may have any legal recourse, even if the cybercriminals that launched the attack are identified. Cybercriminals typically operate out of countries that don’t have meaningful extradition treaties with the U.S. Cybercriminals would have to first be indicted in the U.S. and then a way must be found to bring any alleged perpetrator(s) of the attack to trial in the U.S. For example, if, for some reason, the cybercriminals left the country they are residing in to visit a country that has an extradition treaty with the U.S.; the odds of that happening are, naturally, long.
In the meantime, it’s clear cybercriminals have identified the ITSM platforms employed by MSPs as a rich target that, once compromised, enables them to potentially infect thousands of systems. It will be up to each organization to decide the degree to which they want to continue to rely on MSPs that are clearly under siege. However, it’s notable that swapping out one ITSM platform for another doesn’t necessarily guarantee a different outcome.
