Just as US businesses were closing for the July 4 holiday weekend, the REvil ransomware attacker group attacked. This attack impacted the MSP community more than any other incident. It was a predictable attack that many cyber experts had been anticipating. Tech companies stepped in to help, and the other shoe dropped. The REvil ransomware group attacked just as US businesses were closing for the July 4 holiday weekend. This incident had a greater impact on the MSP community than any other incident. Kaseya, a leading IT management software company was the target. Their VSA product was used by many MSPs to remote monitor and manage their clients. The ransomware was distributed to MSPs and customers. It was a nightmare scenario. It was a predictable attack that many cyber experts had been anticipating. The other shoe finally fell.
Although no one should have needed a wakeup call in the MSP industry, it was necessary. We are aware of only one MSP that was directly affected by the attack across all CompTIA members. CompTIA ISAO sent an alert to members on Friday, July 2, at 3:05 pm EDT. This was just 22 minutes after the initial public posting of the attack. Since then, the CompTIA ISAO has posted updates to its members. They have compiled as much information as they can and shared important links for official announcements.
Ironically, the CompTIA ISAO launched a forum on our Cyber Forum on July 2. We created this forum to discuss active exploits, following member requests following the PrintNightmare vulnerability. PrintNightmare was our first thread. The second thread, the Kaseya Attack, was active almost immediately.
We learned that a CompTIA MSP Member had been victimized on July 3. We sent an email to CompTIA ISAO members, asking for volunteers to help the MSP recover. We received 41 offers from MSPs, vendors, and individuals to fly to the MSP’s office to provide remote assistance or driving assistance. This was in less than three hours. We still received offers to help five days later, a testament to the generosity and power of CompTIA’s members.
Article 5 clause of NATO’s charter was the first to be used in a mass attack on MSPs. An attack on one of our members is an attack against all of us. This is how the industry responded. Hundreds of MSPs have offered to help any MSP that is impacted, regardless if they are a current customer or partner. During a very dark time, the best of business shone brightly. Everyone knew that it could have been them.
CompTIA issued a statement Monday, July 5 regarding the attack. It highlighted the response of CompTIA ISAO members to the call for help. We built on this and announced the formation a Rapid Response Team (RRT), to respond to any future attack that specifically targets CompTIA members. The RRT will include both internal and external resources so that they are ready to respond to any attack. The RRT will coordinate communication between the CompTIA ISAO as well as the wider CompTIA membership. This will include everything, from the distribution and coordination of threat intelligence and real time alerts to assisting impacted members with communications, incident response coordination, and recovery assistance. If a member needs assistance, members of the RRT will be available to assist. The ability to identify which member organizations can assist, and the areas of expertise and geography they cover will help to qualify response capabilities. This will allow the impacted organization focus on implementing their incident management plan without having to qualify external support.
As a courtesy for the industry and impacted organisations, the CompTIA ISAO will also provide complementary access to our threat intelligence reports as well as Cyber Forum discussions relating to the ransomware attack against Kaseya. Businesses need to work together to better understand the threat landscape, and be prepared for future attacks.
The RRT is already preparing and the lessons learned from this attack will be incorporated in our plans and capabilities. The MSP that was attacked offered to share their experience. They have been recording it in real-time. Other members have offered to share their stories of surviving past attacks, including ransomware attacks, as a result. CompTIA members will have access to all of the first-hand information. We are grateful for the willingness of these members to share their knowledge, knowing that many will be benefited from their experiences. It will help others to be more prepared in the event of an attack.
The C
