Fred Voccola can sum up the ransomware strike that shut down Kaseya’s VSA remote monitoring and management solution last summer in two predictable and entirely understandable words.
“It sucked,” said Voccola, Kaseya’s CEO, in a keynote this morning at the company’s ConnectIT event in Las Vegas. “It sucked for everybody in this room who is using our RMM.”
For those users, the incident sucked because it left them without a critical tool for over a week. For Kaseya itself, the $12 to $14 million hit on the company’s bottom line only begins to describe why it sucked.
“It’s embarrassing,” Voccola told his audience this morning. “It’s our job to figure out how to live up to our commitments and we let this group down, and we take that very seriously.”
That said, Voccola continued, Kaseya can take at least some pride in the way it handled the crisis. For one, just 56 of its roughly 37,000 customers had their data encrypted.
“That’s 56 too many,” Voccola said, “but there’s only 56.” None of those organizations had any data exfiltrated either, he noted
Kaseya also acquired a decryption key for the attack and distributed it immediately, Voccola added. Contradicting media reports from earlier this year, Voccola insisted that Kaseya didn’t give REvil, the cybercrime organization responsible for the VSA attack, money in exchange for that key.
“Kaseya didn’t pay a dime of ransom,” Voccola said. “That’s a fact.”
Voccola declined to specify who supplied the decryption key, but suggested it was a third party using sophisticated techniques. It was that organization’s eagerness to hide those techniques from threat actors that explains the non-disclosure agreement Kaseya made MSPs sign before receiving the key, he added.
The VSA breach, Voccola observed, is just one manifestation of a larger phenomenon impacting huge numbers of people at accelerating rates. Indeed, 64% of U.S. IT decision makers surveyed by security vendor ThycoticCentrify for a research study published yesterday have been hit by ransomware in the last 12 months. Global damages from ransomware will total $20 billion this year, according to Cybersecurity Ventures, and reach $265 billion by 2031.
“This is an existential threat to our way of life, and it’s been amplified substantially over the last 18 months,” Voccola said today.
Overwhelmed law enforcement agencies, insufficient spending on cybercrime-fighting efforts, and easy access to “anonymous currencies” like Bitcoin ensure that attacks on RMM makers and other high-profile targets will continue, he added, as do the light penalties cybercriminals pay.
“Relative to the amount of financial gain you can make, it’s a slap on the wrist,” Voccola said.
VSA emerged from the July incident more secure than before thanks to the extensive scrutiny it’s received from security researchers, according to Mike Puglia, Kaseya’s chief customer marketing officer, in a ConnectIT keynote.
“It has had a lot of eyes on it, for better or worse,” he said. “We’ve made a lot of improvements and I feel extremely confident that nobody else has undergone [more] interrogation by people over the last three months.”
Kaseya plans to invest heavily in efforts to prevent additional incidents in the future, Voccola emphasized.
“We spent a ton of money and resource and effort on our security posture before this happened. Clearly it wasn’t good enough,” he said. “My biggest lesson, and our biggest lesson as Kaseya, is we can’t wait to adjust. You have to always be a step ahead.”
To oversee those efforts, Kaseya has appointed Jason Manar its new chief information security officer, the company announced yesterday. Most recently assistant special agent in charge of cyber, counterintelligence, and intelligence operations for the FBI, Manar was part of the response team assigned by the federal government to the VSA attack.
In addition to being an enormous threat, cybercrime is a major revenue opportunity. Global spending on cybersecurity by SMBs worldwide will rise at a 10% CAGR from $57 billion last year to $90 billion in 2025, according to Analysys Mason. Security products, moreover, already account for about $250 million of the roughly $400 million in annual recurring revenue Kaseya currently collects.