Kaseya ‘Likely’ Got Ransomware Decryptor From REvil: Huntress CEO Kyle Hanslovan

‘Since Emsisoft is the one that got it, I think it’s probably more likely that that REvil team or a REvil affiliate leaked it,’ says Huntress CEO Kyle Hanslovan.

Huntress CEO Kyle Hanslovan, who played a pivotal role advocating for MSPs who were hit in the Kaseya ransomware attack, believes the decryptor key Kaseya got its hands on was leaked by a REvil team member or affiliate. Although other scenarios are possible, he said.

Kaseya said it had obtained the universal decryptor key on July 21, 19 days after the devastating REvil ransomware attack, as part of its bid to help nearly 1,500 compromised customers unlocked ransomed files and data.

At that time, Kaseya confirmed that it obtained the tool from a third party and that it was working with anti-malware software provider Emsisoft to help customers recover from the ransomware attack.

CRN reached out to Kaseya but had not heard back at press time.

Earlier this week, Kaseya said it did not negotiate with cyber criminals and pay a ransom to obtain the decryptor. “While each company must make its own decision on whether to pay the ransom, Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack and we have not wavered from that commitment,” Kaseya said in a prepared statement. “Recent reports have suggested that our continued silence on whether Kaseya paid the ransom may encourage additional ransomware attacks, but nothing could be further from our goal.”

CRN spoke with Hanslovan about the risks of using RMM tools going forward, what Kaseya could have done differently in the wake of the attack and why the vendor didn’t make patches when they were notified of vulnerabilities three months prior.

How do you think Kaseya got the decryptor tool? Do you think the U.S. government or law enforcement played a role?

There’s only three places where this key came from, and it’s really simple. Someone bought it, law enforcement or an intelligence organization got their hands on it or the REvil actors, whether coerced or whether they leaked it or whether it was done purposely, released it.

I do believe that Kaseya didn’t pay for it. There’s only two very likely scenarios, foreign law enforcement or intelligence got their hands on–which to be honest I hope that’s the scenario. However, I think the more likely scenario since Emsisoft is the one that got it, I think it’s probably more likely that that REvil team or a REvil affiliate leaked it.

How should have Kaseya responded after being notified by The Dutch Institute for Vulnerability Disclosure (DIVD) in April about the seven vulnerabilities in its products? Is three months typically enough time to patch a critical vulnerability?

That’s a huge thing on everybody’s mind. This is probably the third major incident I’ve worked with Kaseya on. I’ve worked with Kaseya in 2018, and the difference is night and day. Some vulnerabilities and bugs are hard to patch because they’re also sometimes features, so you have to remove functionality to truly patch it.

The idea that DIVD released the heads up, Kaseya didn’t get it fully patched and then it was exploited and abused, to me that’s a legitimate timeline and I’m not too concerned about that piece. The bigger question for me is why did it take this long for security researchers to start auditing that code base.

What could Kaseya have done differently since learning of the ransomware attack on July 2?

Their communication this go around was way better than it was before. When you’re in an incident like this, you have your own liability that you have to consider. I do think there could have been more frequent [questions of], “Where are we going?” There were a lot of places where we had to step in and say [to MSPs], ‘You’re not going to get the all clear. Kaseya can’t give you the all clear to start restoring for back up because they don’t want to take on that additional liability.”

When Kaseya finally came out and admitted that they didn’t pay that ransom for the decryptor key, yes they have to protect where it came from but they’re opening themselves up for a lot more questions if they’re not going to be more thorough.

There’s also this mystique going around this NDA (non-disclosure agreement for using the decryptor). I get this question from my team and a lot of our partners: Is Kaseya’s NDA requiring them to waive a class action lawsuit? Or are they just really trying to protect the sources of where Emsisoft got the decryption key?

There doesn’t need to be this much mystique. Why is there a NDA? [MSPs] shouldn’t have been upset at Kaseya, but because of the lack of clarity in communication, that’s probably the biggest thing you can critique.

What security issues/concerns do MSPs need to think about based on how REvil carried out its attack against Kaseya?

The MSPs aren’t prepared to communicate. With some of our MSP partners, the most valuable thing we’re doing right now is helping even the ones that weren’t impacted [have a] non-technical conversation with [their] customers that this was kind of like a hurricane.

MSPs aren’t doing a good enough job in selling, marketing and communicating that this is 2021 and cyber incidents are the hurricane. The most actionable thing is how to better communicate what the current landscape is and why when this happens, they’re going to make sure that [end users] are going to come out of this as unscathed as possible.

Based on what you’ve observed in recent years, is Kaseya’s RMM tool more secure or less secure than those offered by ConnectWise, N-able and Datto?

At the end of this incident, Kaseya and SolarWinds now have a code base that has been very heavily audited. It wasn’t before, but in many ways they’ll be able to come out of this and say, “You’ll have the reassurance that Kaseya doesn’t want this to happen again.” They’ll finally invest in incident response, code audits and secure code reviews and as a result I think their products will have better quality code.

All of the vendors have very relaxed code standards. I’ve seen these code bases before and they’re all kind of scary. [Huntress] just commissioned an out-of-band code review, not because we’re worried about our code, but I want to take our newest code review and publish it publicly and show people that as a vendor, all vendors have vulnerabilities, including Huntress.

Everybody makes mistakes. We have to start, as vendors, showing, not telling, that we have secure codes. What I’m hoping is that this will start motivating other vendors feel more comfortable talking about their code base. All vendors in the SMB’s code base have debt and it’s time for us to pay them down or this is going to continue happening and next time it might be much worse.

Do the risks associated with a potential breach of an RMM platform outweigh the benefits of using RMM? How big is the risk still?

[The risk] is getting more attention, not worse. All that is happening is the same debt that existed 20 years ago, now people are taking advantage of that debt. However, the RMM tool is a business tool. It helps you scale, it helps you automate, it helps lower the cost. I’ve been asked, “Should I ditch my RMM and just do this manually?” I ask them, “How much would you have to raise your customer’s price and would your customers be able to tolerate that price increase for the benefit of it?”

Let’s not forget, it’s productivity first, technology and security second. Technology and security need to enable productivity. We’re in business to make money. We’re in business to enable productivity. However, a lot of security people put the tin foil hat on a little too tight and cut off the blood flow and they end up doing these things that make businesses not productive. I would not condone the idea of removing RMMs.