As the FBI withheld the ransomware decryption key, JustTech was racing to help 120 clients impacted by the July 2 attack on Kaseya by the REvil ransomware gang.

JustTech is a Virginia-based MSP and Kaseya client. Some 120 of its 3,000 clients were impacted by the attack.

This week, the Washington Post reported the FBI withheld the Kaseya ransomware decryption key for nearly three weeks, leaving victims struggling to recover and stay afloat. The agency reportedly held onto the key as part of an operation to disrupt REvil. However, the operation failed.

The FBI shared the key with Kaseya on July 21. New Zealand-based security firm Emsisoft created a fresh decryption tool, which Kaseya released the following day.

Joshua Justice is founder, owner and president of JustTech.

JustTech’s Joshua Justice

“My reaction when I heard the FBI withheld the ransomware decryption key was the same reaction that I had when Kaseya released it three weeks after the cyberattack,” he said. “I wish we would have had it sooner. Immediately following the attack, we had no idea if a decryptor would ever be available and released. Our clients could not expect us to wait and see for weeks. The logical thing was to wipe devices and restore backups. We started the recovery within an hour after the attack.”

Many Types of Businesses Impacted

The impact was widespread among many types of businesses, Justice said.

“Resorts could not check visitors in and out on a busy holiday weekend, restaurants could not process payments and others could not conduct business when reopening after the holiday,” he said. “I managed JustTech communications from my son’s Chromebook as JustTech was also a victim in this attack. I worked to reassure clients that they would recover and we had a plan. There were a lot of emotional calls with clients and employees, especially in the first five days. As clients at least became functioning again, they understood our plan was working. Our clients have been so supportive through this.”

JustTech’s IT team members worked 18-hour days in the days and weeks following the attack, Justice said.

“Other JustTech personnel from other departments were brought in to assist in the recovery,” he said. “We had the 120 clients affected at least to a functional state in 10 calendar days (four weekend days, one holiday and five weekdays). Most clients were mostly recovered by day 15.”

Continuing Recovery

Months after the Kaseya attack, JustTech is still getting requests from clients of things they didn’t know they needed access to because it’s something they don’t use on an ongoing basis, Justice said.

“We gave our clients punch lists to share with us so every time we visit, we can address additional items,” he said. “The recovery is continuing every day, and our clients have been amazing and seem to really understand the gravity of the situation.”

Moving forward, JustTech is going to put even more emphasis not just on protection, but also recovery, Justice said.

“How can we recover more quickly; how can we lessen the pain from these growing attacks,” he said. “We are in the early stages, but are already seeing some potential to speed up the recovery. We are also going to continue to recommend that clients move more programs to the cloud and are continuing those discussions with our client base.”