Kaseya MSP Negotiates Ransom Payment Following Attack

‘They had to become boots on the ground going around to every single one of their clients and touching them manually,’ said Michael Crean, president and CEO of Master MSSP Solutions Granted, which is assisting the MSP impacted by the attack.

ARTICLE TITLE HERE

One MSP impacted by the REvil ransomware attack is trying to negotiate a payment with the cybercriminal organization.

Michael Crean, president and CEO of Master MSSP Solutions Granted, told CRN that the MSP, which he did not name, was hit in the attack and has hired a ransom negotiator to cut a better deal.

The attack Friday hit nearly 60 of Kaseya’s MSPs using an on-premises version of VSA, affecting up to 1,500 end user customers ahead of the July 4 weekend.

id
unit-1659132512259
type
Sponsored post

“This [MSP CEO] was driving in his car on vacation, headed out of town, had to stop everything, turn around and go back,” Crean said. “We were on the phone talking and [he said], ‘I’m just going to turn around right now and head back to my office.’”

[Related: Huntress CEO Kyle Hanslovan To MSPs On Kaseya Ransomware Attack: ‘Get It Together Or Go Out Of Business’ ]

The CEO, who runs an MSP with thousands of customers and has five or six employees, according to Crean, had to get all hands on deck and put “boots on the ground.”

“Everything they had to do became a manual effort,” Crean said. “They had to become boots on the ground going around to every single one of their clients and touching them manually in hopes that the ransom negotiators are going to do a really good job and get it down to a palatable number.”

To help, Crean is providing guidance to the MSP. If he doesn’t have an answer, he’s helping the company find it.

“My feeling was, ‘Hey, let me do the right thing. Let me give you some better protection. Let me give you some better monitoring. Let me give you some SOC services around what you have going on … and we just won’t bill you for the next month.’”

He wanted to help the MSP so that any lateral movement or problems could be stopped ahead of time.

“It’s kind of like what you would see if there was a community disaster and the whole community came together and tried to help everybody who was negatively impacted,” he said.

“It’s no different than what we all did as a community when we went through a global pandemic together,” he said. “How do we support each other and just be there for one another?”

And he’s not the only one. Crean has seen other IT organizations not affected by the attack reach out and help those that were.

“My hope is that all of [the MSP’s] customers, though rightfully frustrated, are not taking it out on them,” he said. “This really wasn’t a fireable mistake, and I hope that customers allow this organization to continue to support them.”

REvil, the ransomware attack group, is now looking for about $70 million before performing a “large mass unecrypt option,” Crean said.

Going forward, he said this attack will come with many lessons to be learned, especially after other large ransomware attacks like the Colonial Pipeline breach in May.

“This is the world that we live in, unfortunately,” he said. “The scary part is there’s so much talk around ransomware and terrorism. The security aspect of this community has to become more forceful with the RMM and VSA providers.”