Kaseya’s comms response to ‘biggest ransomware attack on record’

Jim Preen, YUDU Crisis Management Director

The first indication that something very bad was happening at information technology firm Kaseya came on Friday 2nd July. A bland statement appeared on their website: ‘We are investigating a potential attack against the VSA that indicates to have been limited to a small number of our on-premises customers only. We have proactively shut down our SaaS servers out of an abundance of caution’.

Four days later the attack was deemed so serious that the White House, Homeland Security, The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) were involved. Some were already calling it the biggest ransomware attack on record. Hackers were demanding $70m in bitcoin.

Manged service provider

Kaseya is a ‘managed service provider’ which offers software tools to its clients which are typically IT outsourcing companies. These firms then provide their clients with the tools on offer from Kaseya. The products are designed for small to medium sized companies, which are generally not large enough to resource their own IT departments.

Kaseya has said that between eight hundred and a thousand of their customers have been affected by the hack though some analysts fear the number may be significantly higher. Businesses affected range from dentists in the US to supermarkets in Sweden.

The hackers found a vulnerability in Kaseya’s systems and were able to gain access to firms using their products. According to the Guardian newspaper: “Kaseya regularly pushes out updates to its customers meant to ensure the security of their systems. But in this case, those safety features were subverted to push out malicious software to customers’ systems”. Hackers found a so-called Zero Day Vulnerability in Kaseya’s products.

Bad actors

The bad actors are said to be Russian based REvil, who sprung to fame by offering ransomware as a service. They too could be seen as a ‘managed service provider’ as they lease out their malevolent products to cyber-criminal’s intent on extortion. It’s thought that REvil take a percentage of each successful crime. In Kaseya’s case they have offered a universal decryptor that can apparently decrypt files in less than an hour, but for that they want bitcoin and lots of it.

In June REvil netted as much as $11m from meat processing company JBS. The firm admitted paying the ransom to protect its customers.

Crisis management case studies

In years to come detailed crisis management and business continuity case studies will be written about the attack on Kaseya. These will look at the company’s response, how they dealt with the hackers, how they managed the disruption, how they reconfigured their IT to fix the problem and how they communicated with the wider public. Learned white papers will look at all this and more.

But perhaps right now, while this story is still playing out, it might pay to look immediately at a small but significant part of their corporate fightback. Nothing more than their first in-depth press release which was titled: ‘Kaseya Responds Swiftly to Sophisticated Cyberattack, Mitigating Global Disruption to Customers.’

It was released on 6th July by Kylie Banks, Corporate Communications Manager at Kaseya with a subhead that read: ‘Company working alongside agencies and leading incident response team to support impacted small and medium-sized businesses.’ The complete press release can be found here on the Kaseya website and is replicated here on Continuity Central.

Typically, this type of analysis is reserved for those companies who have made terrible PR blunders in their attempt to reach out to the wider public. One only has to think of the incident where Dr David Dao was forcibly removed from a United Airlines flight with the airline’s CEO, Oscar Munoz, issuing a tin-eared response about ‘re-accommodating’ a pasenger and referring to Dao as ‘disruptive’ and ‘belligerent.’ Video taken by fellow passengers showed this to be very wide of the mark.

Even a cursory glance at Kaseya’s press release shows this is not one of those stories.

What is this press release for?

The first question to ask is what is the purpose of such a press release, what is it for?

As you will see it looks and reads to a large extent like a newspaper article. It has an excellent headline and subhead that tells the reader exactly what the story is about and what the writer is trying to achieve. Their swift response to the attack has helped mitigate disruption to their customers which are vulnerable small to medium sized organizations. The tone is right.

The first paragraph sets out what Kaseya does and enlarges on the headline. Tried and tested newspaper procedure:
Kaseya, the leading provider of IT and security management solutions for managed service providers (MSPs) and small to medium-sized businesses (SMBs) responded quickly to a ransomware attack on its VSA customers launched over the Fourth of July holiday weekend. The company’s rapid remediation and mitigation measures saved thousands of small and medium-sized businesses from suffering devastating impacts to their operations and ensured business continuity.

Plethora of acronyms

Newspaper journalists would hesitate to use such a plethora of acronyms in the opening paragraph, but it can be assumed that this material was targeted at a tech savvy audience.

There is an abundance of under resourced newspapers and news websites, so press releases such as this are written so they can be simply cut and pasted into a publication. Newswires will often take them as written as can be seen here.

But of course bigger, national and local outlets will just want to take sections, for example a quote from the CEO:

“Our global teams are working around the clock to get our customers back up and running,” said Fred Voccola, CEO, Kaseya. “We understand that every second they are shut down, it impacts their livelihood, which is why we’re working feverishly to get this resolved.”

He goes on: “This is a collaborative effort to remediate the issue and identify the parties responsible so they may be held accountable,” added Voccola. “We are beyond grateful for their assistance getting our customers back online. The immediate action-oriented and solution-based approach of CISA and the FBI, with tremendous overall support from the White House, has proven to be a huge help in ensuring that this attack led only to a very small number of impacted customers”.

The latter part of his quote is interesting and part of an established crisis management response to, in effect, spread the load. He indicates that it is not just his company that’s fighting the hackers; he has some big guns onboard that include the White House and beyond.

He also points out the number of customers affected is small. Here he is on trickier ground as it looks like the numbers may not be so trivial. Playing down an event that is causing havoc to his clients may look insensitive. This kind of spin is unlikely to play well to a chain of Swedish supermarkets that were forced to shut all their 500 stores in the wake of the hack.

And when it comes to numbers the press release is a little confusing. On July 2nd it says: ‘only approximately 50 of the more than 35,000 Kaseya customers being breached.’ These customers are not the end users but managed service providers, using Kaseya’s technology.

Two paragraphs down the numbers jump: ‘Of the approximately 800,000 to 1,000,000 local and small businesses that are managed by Kaseya’s customers, only about 800 to 1,500 have been compromised’.

However, a German news agency dpa reported that an IT services company in Germany that uses Kaseya’s products said that several thousand of its customers were compromised. So once again it looks like the numbers are being downplayed and may be significantly higher than Kaseya maintain. A dangerous game to play when this is being called the biggest ransomware attack on record.

Richard Stephenson, CEO of tech company YUDU, commented on the press release saying: “The press release is all about ‘we have this under control…know what has happened…know who has done it…and will get it all fixed by teatime’. One thing is certain in a cyber-attack and that is nothing is certain. It will take months to ensure that there are no backdoors that have be surreptitiously inserted”.

Strange terminology

To British ears some of the terminology used in the press release is odd. Kaseya it says: ‘Delivers best in breed technologies’ making it sound like it produces some kind of dog technology. And Casey, the writer, who I hesitate to criticise as her life must be some kind of hell right now, clearly loves the phrase ‘an abundance of caution’ when talking about the Kaseya approach to the hack as it appears in the press release and is used in messages on their website.

This must be a torrid time for the CEO Fred Voccola and all those working at the company. He put out a video message saying: I feel like I let this community down, I let my company down; our company let you down. I’m not reading off a script, this is reality. This is not BS, this is reality. It sucks and I don’t want anyone to think we are not taking this seriously”.

It may be a small part of their remediation efforts but hopefully in years to come their comms response will seem worthy with their first major press release a small cog in a much bigger wheel.

The author

Jim Preen is Crisis Management Director at YUDU Sentinel

Jim designs and delivers crisis simulation exercises and is responsible for the company’s written material. Formerly a journalist, he worked at ABC News (US) where he covered the Gulf War and the Bosnian conflict. He won two Emmys while working at ABC.