Ransomware attacks have become a prevailing threat to businesses of all sizes, causing significant financial losses, reputational damage, and operational disruptions. In this episode, we talk with Robert Cioffi, COO and Co-Founder of Progressive Computing, who shares how they navigated through the Kaseya ransomware attack. He shares invaluable insights into their journey of resilience, recovery, and the crucial lessons learned along the way.
In this episode:
How One MSP Handled a Ransomware Attack – Ep 422
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
How One MSP Handled a Ransomware Attack
[02:04] Today we are joined by Robert Cioffi, COO & Co-Founder of Progressive Computing which is a Yonkers, NY based IT services company for small and medium sized businesses. Robert shares his company’s experience during the Kaseya hack that affected them and their clients.On July 2, 2021 a ransomware gang, REvil, exploited a flaw in a piece of software that IT vendors used to manage clients networks and endpoints. When the hack hit Progressive Computing’s instance of Kaseya, REvil pushed ransomware to every endpoint in less than 2 hours and encrypted all the files on every computer. For Progressive, this amounted to 81 customers (including Progressive itself) with about 200 locations across 4 time zones, so about 2500 endpoints, meaning desktops and laptops, and about 250 of those endpoints were servers.
As we often mention, hackers like to attack during the holidays or just before a holiday weekend because people’s guards are down. Folks are mentally checked out, some businesses are lightly staffed and the hackers feel they can fly under the radar and catch people off guard. This attack occurred on Friday before the July 4th holiday weekend.
This attack affected approximately 50 to 60 Kaseya customers, most of which were MSPs. Overall it’s estimated that about 1500 different organizations were affected which accounted for over a million computers during this attack.
Progressive’s Experience
[13:32] Most of Robert’s story is about the emotional, human, psychological part of the event, which is typically an under sold part of an event like this. For Robert, it was a light and easy day so far, everyone looking forward to the long holiday weekend. The weather was nice, for a change, in Yonkers. Robert was having a bit of lunch in the company kitchen, which is a luxury for him many days. Everything was going well…. until, the Director of Operations came to deliver the news that ALL of their customers were hit with ransomware. [22:26] Denial set in, but quickly it became clear more data was needed. While Robert logged into his own computer to start checking logs and things, he noticed the once familiar icons on his desktop turn to white boxes one by one. Everything on his computer was being encrypted. Everything except one text file called ReadMe, which was the actual ransom demand from the REvil hackers. [33:18] We asked Robert if someone had told him at the beginning of the year that he would be hit with ransomware at some point, how would he prepare. He said he would have focused more on the “right of boom” tasks by doing tabletop exercises to learn and understand how to respond and recover better. A big part of that includes a communication plan. How to communicate with your internal staff, those working remotely and then your clients. Many times your clients have to then communicate with their customers or patients or clients. Let’s not forget the press and potentially law enforcement.Kaseya was helpful in the fact that they were able to corroborate the findings from Progressive’s independent forensics analysis on their network and systems in that the attack was more of a smash and grab style of attack and no data was exfiltrated. The hackers broke in and used the Kaseya system to automatically push ransomware to as many devices as possible and that was it.
[40:02] So, now Robert and his team knew what they needed to do to recover their clients’ servers and networks. The problem now is that they needed to do that for everyone all at once. They needed more hands. They got help from the community of MSPs and friends they’d made over the years to help restore data from backups that were free of any malicious code. [50:57] From “boom” to successful recovery, it took Robert and his team 17 days to recover 95% of systems for about 95% of their clients. The first 2 to 3 weeks was a lot of searching for answers and working around the clock. Once given the green light by forensic investigators, they started recovery efforts on July 5th. And that was with a lot of help from the community of MSPs that came to help.In August 2021, Robert registered the MSP911.org and partnered with CompTia to create an emergency response team to assist MSPs with major security incidents such as this Kaseya attack. The response team members are 100% volunteers and there is no charge to the MSP who needs assistance. This is a way for folks to step up and help other MSPs recover from an attack.
Cybersecurity is an ongoing battle. Organizations across the globe face an ever-evolving threat landscape, with ransomware attacks posing a significant risk to their operations and stakeholders. By adopting a proactive cybersecurity mindset and leveraging the lessons learned from this real-life scenario, and others like it, businesses can bolster their resilience and better protect themselves against future cyber threats.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
