Just as US businesses were closing down for the July 4 long holiday weekend, the REvil ransomware group attacked—impacting the MSP community more directly than any previous incident. Kaseya, one of the leading IT management software companies was the target and their VSA product used by many MSPs for remote monitoring and management was leveraged to distribute ransomware to MSPs and their customers. It was a nightmare scenario. Sadly, it was an inevitable attack, one that many cyber experts have been expecting. The other shoe finally dropped.
No one should have needed a wake-up call in the MSP world, but if they did, they got it. Fortunately, across all of CompTIA’s membership, we are only aware of one MSP directly impacted by the attack. The CompTIA ISAO issued an alert to members at 3:05 PM EDT on Friday, July 2, just 22 minutes after the first known public posting of the attack. The CompTIA ISAO has continued to post updates ever since, compiling as much information as possible and sharing important links for official announcements and updates.
Ironically, on the morning of July 2, the CompTIA ISAO launched a new forum on our Cyber Forum. Based on member requests after the PrintNightmare vulnerability earlier in the week, we created a forum to discuss active exploits. PrintNightmare was the first thread created. The Kaseya Attack was the second thread and had active postings almost immediately.
On July 3, we learned that a CompTIA MSP member had been victimized. We sent an email broadcast to CompTIA ISAO members asking for volunteers who could help this MSP recover. In less than three hours, we had received 41 offers from MSPs and vendors to fly or drive to the impacted MSP’s office or provide remote assistance. Five days later, we were still receiving offers to help, indicative of the power and generosity of CompTIA’s member community.
As the first mass attack on MSPs, Article 5 clause from NATO’s charter came to mind. An attack on one of us is an attack on all of us. That’s how the industry responded. To date, literally hundreds of MSPs and vendors have pledged to assist any MSP impacted, regardless of whether or not they were a current customer, partner, or peer. The best of the business shined bright during an otherwise very dark time. Everyone understood that it could have been them.
On Monday, July 5, CompTIA released a statement on the attack highlighting the response to the call for assistance by CompTIA ISAO members. Building on this, we announced the formation of a Rapid Response Team (RRT) to react to any future attack that explicitly targets CompTIA members. The RRT will be comprised of internal and external resources that will stand ready when—not if—that next attack takes place. The RRT will coordinate communication within the CompTIA ISAO and the broader CompTIA membership. This will include everything from the distribution of threat intelligence and real-time alerts to helping impacted members address communications, incident response, coordination, and recovery assistance. Members engaged with the RRT will stand by as a ready force to be activated if a member calls for assistance. Knowing which member organizations are able to assist and what areas of expertise and geography they are able to cover will help qualify response capabilities, allowing the impacted organization to focus on implementing their incident response plan without having to qualify the external support that is being offered.
In addition, the CompTIA ISAO is also providing complementary access to our threat intelligence reports and Cyber Forum discussions related to the ransomware attack on Kaseya as a courtesy to the industry and impacted organizations. We all need to work together to help businesses better understand the threat landscape and prepare for attacks, now and in the future.
The RRT is preparing now and lessons learned from this attack will be incorporated into our plans and capabilities. The MSP who was attacked has offered to share their experience, which they have been capturing in real-time. As a result of this attack, other members have come forward to share their stories about surviving past attacks, including ransomware attacks. We will be compiling all of this first-hand learning into an asset that will be available to CompTIA members. We applaud these members for their willingness to share, knowing that many will benefit from their experiences. It can only help others be better prepared should they be an unfortunate victim of the next attack.
The CompTIA ISAO continues to focus and respond to the needs of our members in real-time. From adding functionality to our existing systems, to launching new initiatives like the RRT based on current and future needs. The CompTIA ISAO brings together the IT channel and all organizations in the business of technology to help one another raise the collective cyber resilience of the IT industry and the customers served by our members. Join the fight at www.comptiaisao.org and access the complimentary Kaseya attack content at forum.comptiaisao.org.
Want more info on the CompTIA ISAO?