Kaseya 'Saves Face' as Customers Get Help to Recover from Cyberattack

Kaseya can't confirm or deny a ransom was paid.

Edward Gately, Senior News Editor

July 22, 2021

3 Min Read
Helping hand

Kaseya customers still suffering from the VSA supply chain ransomware attack got some good news.

Kaseya has acquired a universal decryptor, said Dana Liedholm, the company’s senior vice president of corporate marketing. It allows victims of the July 2 REvil ransomware attack to unlock encrypted files for free.


Kaseya’s Dana Liedholm

“It’s being used successfully as we reach out to our customers and support them in using the tool,” she said. “We received the tool from a trusted third party, and I can’t confirm or deny whether a ransom was paid. The progress is good and we will continue to roll it out with support from Emsisoft.”

The Kaseya VSA attack impacted nearly 50 customers. That includes 35 MSPs. About 1,500 of their customers also suffered.

The attackers breached Kaseya VSA, its remote monitoring and management (RMM) service. All of the MSPs were using the VSA on-premises product.

Great Development for Kaseya Customers

Purandar Das is co-founder and the chief security evangelist at Sotero.


Sotero’s Purandar Das

“This is a great development for the victims in this attack,” he said. “They are able to recover their systems and data without making exorbitant ransom payments. Also, Kaseya is able to save face by acting as the intermediary in this transaction. This in some way reinforces the notion that nation-state actors have been providing patronage to criminal gangs and they do benefit from this partnership. Some questions that still need to answered are whether Kaseya was aware of any attempts prior to the actual attack, since it seems likely the attackers would have attempted to perfect their approach. What additional steps has Kaseya taken in the near term and longer term to mitigate these attacks?”

The REvil ransomware gang mysteriously disappeared in the weeks following the Kaseya attack.

Erich Kron is security awareness advocate at KnowBe4.


KnowBe4’s Erich Kron

“This is great news for the victims of this attack,” he said. “However, significant damage has been done already in the way of downtime and recovery costs, both currently and in the future. Even with the data decrypted, there are significant costs associated with restoring devices and data. Simply decrypting the data does not resolve issues that remain, such as potentially installed backdoors the attackers could use at a later date. This means there is still a lot of work ahead.”

Still Much More to Deal With

Even with the release of the universal decryptor, organizations that had data exfiltrated still have to deal with the impact of a data breach and all that entails, Kron said. For regulated industries, this could be very costly.

“This should be used as a lesson for organizations of all sizes, hopefully resulting in better protections within organizations and MSPs alike,” he said. “Whenever an organization trusts external entities with the keys to their kingdom, they are undertaking a serious risk. Likewise, when MSPs are given this access, it is imperative that they aggressively protect their customers. For organizations that have been taken down by ransomware due to the lack of backups, or if their backups were encrypted, leaving them vulnerable, this is a great time to have some hard discussions with their service providers in an effort to eliminate the threat in the future.”

Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn.

Read more about:


About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like