back to article IT for service providers biz Kaseya defers decision about SaaS restoration following supply chain attack

IT management software provider Kaseya has deferred an announcement about restoration of its SaaS services, after falling victim to a supply chain attack that has seen its products become a delivery mechanism for the REvil ransomware. The company’s most recent update on the incident, dated July 4, 2021 5:45 PM EDT, initially …

  1. sanmigueelbeer Silver badge
    1. MJI Silver badge

      Would be cheaper to hire a hitman.

      1. Clausewitz 4.0
        Devil

        If the guys behind it are protected, there would be a second hitman for the first hitman.

        No point in hiring one.

    2. cyberdemon Silver badge
      Devil

      REvil demands US$70m for 'universal decryptor'

      A better headline:

      Doctor REvil holds world to ransom for "70 Meeeeellion Dollars!"

  2. katrinab Silver badge
    Windows

    Surely they are finished as a company?

    I don’t see how you can recover from this.

    1. sanmigueelbeer Silver badge

      Re: Surely they are finished as a company?

      I don’t see how you can recover from this

      Phoenix-ing can. Close down the "Kaseya" and re-open under a different name/brand.

      1. MiguelC Silver badge

        Re: Surely they are finished as a company?

        Maybe not even that, did SolarWinds change their name?

        1. AW-S

          Re: Surely they are finished as a company?

          SolarWinds is now n-able as of last Friday - for most products/services.

          1. Glennda37

            Re: Surely they are finished as a company?

            No its not - that is the msp product they bought being reverted back to its original name

    2. Pascal Monett Silver badge

      Re: Surely they are finished as a company?

      Is TSB finished ?

      They'll recover. The Public is abysmally incapable of drawing the proper conclusions and all those companies would need to change their infrastructure and software stack, and that costs money, whereas risk can be insured.

      Can we have a vomit icon ?

      1. HildyJ Silver badge
        Facepalm

        Re: Surely they are finished as a company?

        The problem is that the public, which includes most of the management of most companies, has, in matters like this, the knowledge of a social media influencer and the attention span of a TikTok video.

      2. Anonymous Coward
        Anonymous Coward

        Re: The Public is abysmally incapable of drawing the proper conclusions

        while I share the sentiment, in general, what EXACTLY are the (mythical) Public supposed to do, other than draw the proper conclusions? Storm the HQ? Overthrow the governments (all of them, to make sure) so that they send the army (all of them, to make sure) to storm the HQ? Put pressure on their governments 'to do something!"? I'm pretty sure, if you ask any government farm-person, they will fart that "our government is absolutely committed towards ensuring that, etc, etc." And if you overthrow the current government and setup the new one (better, oh yeah!), the new fart-person will fart exactly the same tune.

    3. Anonymous Coward
      Anonymous Coward

      Re: Surely they are finished as a company?

      too big to fail

    4. Potemkine! Silver badge

      Re: Surely they are finished as a company?

      Since when do we learn lessons from history?

    5. Anonymous Coward
      Anonymous Coward

      Re: Surely they are finished as a company?

      Stock dropped by half at the time (Dec 2020) but has bounced back to about 73% of pre-hacking levels now. Of course the stock price might measure nothing but hubris. In a world of zombies, walking while dead isn't such a stigma.

    6. Cinderellaphant

      Re: Surely they are finished as a company?

      Ppl are desensitized about crypto hacks by now. They will probably read as far as the headline unless they are in IT.

    7. Robert Forsyth

      Re: Surely they are finished as a company?

      People/Companies/Governments/Doctors need to be allowed to learn from their mistakes, if they don't learn, then bin them.

      Scapegoating can perpetuate a mistake, or nothing is done/learnt for the money spaffed.

  3. cantankerous swineherd Silver badge

    here's hoping it was a sophisticated sql injection, really embarrassing otherwise.

    1. gerdesj Silver badge
      Childcatcher

      "sophisticated sql injection"

      Bobby tables is at it again

  4. gerdesj Silver badge
    Gimp

    "It’s been posted to cloud storage locker Box"

    It's on a file sharing thingie. It's a zip file. There's a .pdf and Powershell scripts in the zip file.

    At which point do I wait for a phone call from Microsoft?

    EDIT: I've taken a look at the ps scripts. This nonsense:

    $SuspiciousFile = Get-Childitem –Path $Path -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.Name -eq [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("YWdlbnQuY3J0")) }

    means I'm looking for a file called agent.crt! The next stanza looks for agent.exe.

    1. cyberdemon Silver badge
      Facepalm

      This nonsense [YWdlbnQuY3J0] means I'm looking for a file called agent.crt!

      WTF?

      They obfuscated this in a powershell script with a base64 string.. why?

      So that they could pull the wool over the eyes of the Dutch Institute for Vulnerability Disclosure and appear that “They showed a genuine commitment to do the right thing,” by providing a magical detection tool?

      Or because they are so cynical that they expect their recently-pwned customers to double click on an obfuscated powershell script and run it, rather than just telling them to look for a file called agent.crt?

  5. Pascal Monett Silver badge
    Mushroom

    "Only a very small percentage of our customers"

    Ah, the gold standard of excuses.

    Fuck that. You were asleep at the wheel, or too incompetent to provide actual security to your customers.

    I don't care if only one customer got infected by your fault, it is one too many.

    Solarwinds123 has already happened. You have no excuse.

    1. gerdesj Silver badge
      Mushroom

      Re: "Only a very small percentage of our customers"

      Kaseya's customers are MSPs. MSPs have a lot of customers ... each.

      A *lot* of data has been encrypted

  6. Anonymous Coward
    Anonymous Coward

    As Kaseya customers

    We may defer decisions about payment ...

    The irony is we just signed up to Kaseya to get a tick in the Cyber Essentials Plus box.

    1. FlamingDeath Silver badge

      Re: As Kaseya customers

      Brilliant…

      Mike Judge is my hero, ever wondered why?

    2. Pete B

      Re: As Kaseya customers

      Hopefully although you just signed up you've yet to deploy the software!

  7. Anonymous Coward
    Anonymous Coward

    Not entirely unexpected?

    That it's taken until 2021 for the bad guys to work out that attacking MSPs - and, specifically, MSP systems and providers like Kaseya - is a route to compromising a lot of people very quickly is, frankly, a bloody miracle. It was bound to happen sooner or later, and I'm very surprised it wasn't sooner - a lot sooner.

    A/C (ex-MSP).

    1. Paul Hovnanian Silver badge

      Re: Not entirely unexpected?

      Next, REvil will hit the MSPPs (Managed Service Provider Providers). And then the MSPPPs. It's turtles all the way down until someone learns to write their own software.

  8. FuzzyTheBear
    Coat

    Laughing

    Next boyo that tells me their equipment is secure or that their services are secure will make me fall on the floor in a heap laughing my bu&& off unable to lick a stamp to save my life.

    If Russia don't do a thing to prevent this .. just cut the cables at the borders and jam their satellites solid.

    Wars can be fought both ways Vlad.

    Mine's the one without an ethernet port.

    1. Anonymous Coward
      Anonymous Coward

      Re: Laughing

      "America and the West’s dependency on undersea internet cables could be a strategic vulnerability. It is the consequence of both geography and the rise of the international digital economy. Russia, by comparison, doesn’t rely on the cables as much, and it has a substantial fleet of spy submarines designed to operate on them." [Forbes, How Russian Spy Submarines Can Interfere With Undersea Internet Cables]

      Escalation by punitive cable cutting is not wise. The problem is that the "West" has a lot more to lose than Russia, NK, Iran, etc., who all have underperforming economies.

      In contrast China has a lot to lose because they have a highly performing economy. And they are the only one's who pose a real threat to the "West", not from cyber espionage, but through outperforming the "West" economically.

      Russia is about as low as it can get, and any substantial wealth generated inside Russia seems to end up in London or NY. Most of the ransom money will eventually end up in London or NY.

      The way to stop the ransomware is to make it illegal to pay ransom, with prison time for doing so. Insurance rates will skyrocket, and there will be a lot of work in security. Eventually equilibrium will be reached, with the total # of ransomware incidents much fewer than at present.

    2. teknopaul Silver badge

      Re: Laughing

      If you want peace between nations you want to do more business not less.

  9. Sparkus Bronze badge

    this is nothing that a $50 investment

    in 5.56 or even 7.62 wouldn't fix.

    1. Paul Hovnanian Silver badge

      Re: this is nothing that a $50 investment

      I suspect that the key people in REvil have their own Spetsnaz security detail. Good luck.

  10. theloop

    I used Kaseya VSA for a big rail station and shopping mall digital signage project... I wonder if JC Decaux has removed it by now

  11. Anonymous Coward
    Anonymous Coward

    But $70 million can buy 70 Tomahawk cruise missiles. Security detail or not, it would be quite effective.

  12. DesktopGuy

    Glad I dumped Keseya!

    Glad I dumped Keseya!

    I resold the Dark Web scanner to my clients and it was mainly fear marketing - bombarding clients with weekly updates of which large PC orgs got hacked with a severity scale. getting out of the contract was a nightmare.

    They kept billing me "by accident" after I cancelled buy contract and took months to refund the funds.

    Really, really not nice to deal with - especially in Australia.

    I wonder if they will use this hack in their Dark Web monitoring marketing…???

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021