On July 2, 2021, Progressive Computing Inc., an MSP in Yonkers, N.Y., experienced a devastating supply chain ransomware attack. The attack, carried out by REvil threat actors, targeted a zero-day vulnerability in the company’s remote monitoring and management tool, Kaseya VSA. The attack impacted all 80 of Progressive’s customers and over 2,000 endpoints. This attack was one of many that affected Kaseya MSP customers.
Robert Cioffi, the co-founder and CTO of Progressive Computing, recently reflected on the attack and the recovery process. He emphasized the crucial role that the community played in helping the MSP get back on its feet. As an MSP, Progressive was not designed to support all of its customers 100% of the time. However, in this situation, all of their customers needed them at full capacity. Cioffi expressed his gratitude for the support and assistance provided by peers and vendors during this challenging time.
Cioffi described the attack as a “smash and grab” operation, with the aim of spreading ransomware to as many endpoints as possible in a short period of time. There was no targeted data exfiltration or attack on backup systems. Progressive became aware of the attack when their phones started ringing off the hook. The attackers had gained administrative control of the Kaseya system and used it to push ransomware to every endpoint managed by Progressive.
The speed of the attack was staggering. The attackers didn’t bother to lock Progressive out of their systems; instead, they set up an admin account and swiftly executed their ransomware plan. Fortunately, the backups were not compromised, which allowed Progressive to focus on restoring servers to safe recovery points. The recovery process involved using local appliances and the Axcient cloud to restore data.
When asked about the benefit of having a local copy of data, Cioffi explained that it significantly speeds up the recovery process. If data needs to be pulled down from the cloud, it can cause delays. Progressive reached out to Axcient on the day of the attack and received technical support to aid in their recovery efforts. While Axcient didn’t directly handle the recovery process, they provided necessary resources, including senior sales engineers who flew out to New York to assist with recoveries.
During the recovery process, Progressive encountered some obstacles such as hardware failures and storage space limitations. A production server they were trying to restore to failed right at the beginning, causing additional stress. However, overall, the recovery process went relatively smoothly. It took 17 calendar days to restore all 80 customers.
Cioffi admitted that no one truly prepares for the scale of attack that Progressive experienced. While companies may claim to have plans in place, the reality is that such attacks are unimaginable until they happen. Cioffi emphasized the importance of openly discussing and sharing experiences of cyberattacks, as it helps the community learn from each other and be better prepared for future events.
In conclusion, Progressive Computing Inc. faced a supply chain ransomware attack that affected all of its customers. Thanks to the support of the community and vendors like Axcient, the MSP was able to recover from the attack and restore its customers’ data. The incident highlighted the need for open discussion and collaboration within the cybersecurity community to strengthen defenses against such attacks in the future.