Kaseya post-attack VSA deployment delayed until Sunday

Kaseya delayed the restoration of its VSA systems until Sunday in order to deploy additional security protections following last week's devastating REvil ransomware attacks.

VSA, Kaseya's endpoint management and network monitoring product, has been unavailable since the July 2 disclosure of a supply chain attack that compromised Kaseya, approximately 60 of its managed service provider (MSP) customers and an estimated 1,500 MSP clients across the globe. The attack occurred when REvil ransomware threat actors exploited zero-day vulnerabilities in VSA before using that access to send malicious updates via the software.

The software vendor originally planned to return both cloud and on-premises versions of the product to functionality on Wednesday, until Kaseya posted an update on their attack information page on July 7 at 7 p.m. ET. "We are in the process of resetting the timelines for VSA SaaS and VSA On-Premises deployment. We apologize for the delay and changes to the plans as we work through this fluid situation," the page read.

Early Thursday morning, Kaseya published a nine-minute video statement from CEO Fred Voccola speaking on a number of topics including the VSA redeployment. The new deployment day is Sunday, July 11.

"I feel extremely confident that this Sunday, four o'clock Eastern [Standard Time], we will have our customers coming back online, both cloud, SaaS, as well as on-prem," he said, also promising runbooks and daily updates from Kaseya CTO Dan Timpson.

Voccola called the delay "probably the hardest decision I've had to make in my career," and that it was done "to make sure that it is hardened as much as we feel we can do for our customers."

"We had all the vulnerabilities that were exploited during the attack. We had them locked. We felt comfortable with the release," he said. "Some of the third-party engineers, engineering firms and companies that we've been working with, as well as some of our own IT people, made some suggestions to put additional layers of protection in there for things that we might not be able to force in."

SearchSecurity asked Kaseya about what the additional layers of protection were, but the company declined to provide any details.

"We have multiple groups testing the product from every angle, and while we felt ready to roll it out, our agency and private groups doing the testing recommended additional steps we should take prior to going back online," a Kaseya spokesperson said via email. "In a continued effort to work with abundance of caution, we followed their guidance to delay the release."

SearchSecurity also asked for more details about the seven vulnerabilities that the Dutch Institute for Vulnerability Disclosure reported to Kaseya, but the spokesperson declined to comment due to the ongoing FBI investigation. Voccola gave similar reasons for not disclosing certain information during the video.

At the end of the video, Voccola announced that Kaseya Cares, a 2020 program in which Kaseya provided financial assistance to MSPs impacted by the COVID-19 pandemic, will return in 2021 in a way that "closely" models the previous year. Plans include direct financial assistance as well as opportunities to utilize third-party consulting firms and other benefits.

"We're doing what we can do, I assure you. No one at Kaseya wanted this to happen. None of you wanted this to happen," Voccola said. "We love our customers. It pisses me off when we do things to hurt them. Especially when it's something like this, where you've fallen victim to criminal acts and it's impacting everything."

Alexander Culafi is a writer, journalist and podcaster based in Boston.