'Wish We Would Have Had' Kaseya Ransomware Decryption Key Sooner, Says One MSP

JustTech and 120 of its clients were victims of the ransomware attack.

Edward Gately, Senior News Editor

September 23, 2021

3 Min Read
According to a recent Venafi study 54 percent of IT professionals polled do not know the location or ownership details for their encryption keys or
According to a recent Venafi study, 54 percent of IT professionals polled do not know the location or ownership details for their encryption keys or certificates. Cybercriminals are increasingly using unmanaged keys and certificates to sneak past encrypted network solutions.ThinkStock

As the FBI withheld the ransomware decryption key, JustTech was racing to help 120 clients impacted by the July 2 attack on Kaseya by the REvil ransomware gang.

JustTech is a Virginia-based MSP and Kaseya client. Some 120 of its 3,000 clients were impacted by the attack.

This week, the Washington Post reported the FBI withheld the Kaseya ransomware decryption key for nearly three weeks, leaving victims struggling to recover and stay afloat. The agency reportedly held onto the key as part of an operation to disrupt REvil. However, the operation failed.

The FBI shared the key with Kaseya on July 21. New Zealand-based security firm Emsisoft created a fresh decryption tool, which Kaseya released the following day.

Joshua Justice is founder, owner and president of JustTech.

Justice-Joshua_JustTech.jpg

JustTech’s Joshua Justice

“My reaction when I heard the FBI withheld the ransomware decryption key was the same reaction that I had when Kaseya released it three weeks after the cyberattack,” he said. “I wish we would have had it sooner. Immediately following the attack, we had no idea if a decryptor would ever be available and released. Our clients could not expect us to wait and see for weeks. The logical thing was to wipe devices and restore backups. We started the recovery within an hour after the attack.”

Many Types of Businesses Impacted

The impact was widespread among many types of businesses, Justice said.

“Resorts could not check visitors in and out on a busy holiday weekend, restaurants could not process payments and others could not conduct business when reopening after the holiday,” he said. “I managed JustTech communications from my son’s Chromebook as JustTech was also a victim in this attack. I worked to reassure clients that they would recover and we had a plan. There were a lot of emotional calls with clients and employees, especially in the first five days. As clients at least became functioning again, they understood our plan was working. Our clients have been so supportive through this.”

JustTech’s IT team members worked 18-hour days in the days and weeks following the attack, Justice said.

“Other JustTech personnel from other departments were brought in to assist in the recovery,” he said. “We had the 120 clients affected at least to a functional state in 10 calendar days (four weekend days, one holiday and five weekdays). Most clients were mostly recovered by day 15.”

Continuing Recovery

Months after the Kaseya attack, JustTech is still getting requests from clients of things they didn’t know they needed access to because it’s something they don’t use on an ongoing basis, Justice said.

“We gave our clients punch lists to share with us so every time we visit, we can address additional items,” he said. “The recovery is continuing every day, and our clients have been amazing and seem to really understand the gravity of the situation.”

Moving forward, JustTech is going to put even more emphasis not just on protection, but also recovery, Justice said.

“How can we recover more quickly; how can we lessen the pain from these growing attacks,” he said. “We are in the early stages, but are already seeing some potential to speed up the recovery. We are also going to continue to recommend that clients move more programs to the cloud and are continuing those discussions with our client base.”

Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn.

Read more about:

MSPs

About the Author

Edward Gately

Senior News Editor, Channel Futures

As senior news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like