Yesterday Kaseya announced that it had entered into a definitive agreement to acquire Datto for $6.2 billion dollars in an all cash deal that would offer $35.50 per-share and bring Datto into private ownership in a deal led by Insight Partners. If you are not an MSP, and you recognize the name Kaseya, it is likely because their remote monitoring and management platform VSA was hacked in July of last year resulting in one of the largest ransomware sprees in history.
Insight Partners is clearly building up Kaseya for an IPO in the near future and has been actively acquiring competitors and aligned companies serving the IT Managed Service Provider (MSP) space, including ITGlue, Unitrends, Vorex, RocketCyber, and nearly a dozen other companies. This is similar to another Insight Partners’ company, SolarWinds, which was culpable in what Microsoft President Brad Smith called “the largest and most sophisticated attack the world has ever seen.”
Yeah, it’s bad. Kaseya has already proven itself reckless and incompetent to defend their customers, and its attack surface continues to grow with every acquisition. The truly awful aspect of this is that most businesses impacted are not even aware that they have Kaseya software in their systems, as it is deployed by smaller IT Managed Service providers who use it to remotely manage their customer’s environments.
What is Kaseya?
Kaseya provides IT management software for Managed Service Providers (MSPs) including VSA, their previously hacked Remote Monitoring and Management (RMM) Software, Professional Services Automation (PSA), Process Automation, managed Security Operations Center (SOC) software, IT Service Desk Ticketing, and Network Performance Monitoring. Founded in 2000, Kaseya was relatively obscure outside of the MSP community prior to the 2021 hack.
What is Datto?
Datto has a number of competing products with Kaseya, including RMM, PSA and Network Monitoring. Datto’s big focus, however, is Business Continuity and Disaster Recovery (BCDR) software. In short, Datto is adding a widely adopted backup solution to Kaseya’s stack, including Backupify, which Datto acquired in 2015. In addition to Datto’s solutions, Kaseya will also gain 17,000 MSP customers with an estimated down-stream customer base of nearly half a million businesses.
Why is This Bad?
Insight partners have the dubious honor of having involvement in companies that enabled the two largest software supply chain hacks in history with SolarWinds and Kaseya. While a VC firm does not generally have day-to-day involvement in portfolio companies, their financial leadership and guidance impacts can have wide ranging impacts on supply chain cybersecurity.
Insight Partners made their first investment in Kaseya on June 25, 2013. Between then and the attack in 2021, employees reported that a significant amount of development had been offshored to Belarus; known in recent headlines as a supporter and staging ground of the Russian attacks on Ukraine. They also reported that there had been attempts by employees since 2017 to report systemic vulnerabilities to leadership that were, at least in one case met with retaliation.
Venture capital alone does not make a company bad. Kaseya thrived for 13 years after a seed round from Whitman Capital, and Datto only expanded their services and support with the backing of Vista Equity. However, predatory venture companies often strip companies down to pure metrics, where there can be a legitimate conversation about risk exposure vs risk appetite where it is decided to ignore security flaws because the cost of fixing them is more that the potential loss when they are exploited. This appears to be the case with both Kaseya and SolarWinds based on accounts from investors and former employees.
A Secondary Ransom
After the ransomware attack, Kaseya mysteriously came up with a universal decryption without paying the ransom. However, in order to access it, down-stream customers who had no direct contract with Kaseya were forced to sign non-disclosure agreements in order to access the tool. While NDAs are common in technology, this seemed to be a direct attempt to hide the realities of the hack, if a ransom was paid, and also potentially to gag down-stream customers.
Digging in on a Lack Of Transparency
Within a few hours of the announcement of the Datto acquisition, Andrew Kaiser, VP of Sales at Huntress Labs “decided to abbreviate those thoughts with a simple “:(“ on a Reddit thread about the acquisition. He was in good company, as a similar the thread had over 500 identical responses of frown emojis. Huntress labs was the first company to identify the original Kaseya attack, and is a driving force in the cybersecurity community.
In response to Kaiser’s scathing 2 character critique (/s), an employee of Kaseya sent a message to Huntress labs reading, “The original post was around the acquisition and Andrew responded with a sad face. The social team are not happy and I told them not to do/say anything to higher ups, and that I would take care of it. Would you mind telling him to kindly remove his post? I do not want this to affect your current booth placement because of one person”. Kaiser responded in an eloquent LinkedIn post, “Sadly it’s far too common for larger vendors to bully smaller vendors like this. These things happen quite frequently, but most are unwilling to talk about it due to the likely repercussions”
A Chilling Effect
These direct and intentional attempts to shroud the truth and control the narrative are problematic at best, and catastrophic if and when they lead to another supply -chain attack. RMM tools are responsible for patching and managing endpoints and servers and as such hold the proverbial keys to the kingdom. A demonstrated history of attacking those who critique their security vulnerabilities is chilling, and indicates a bleak future for their customers and their customers clients.
How to Respond to the Kaseya Acquisition of Datto
If you are an MSP who uses Datto now is the time to evaluate alternatives. While migrating Remote Monitoring and Management and Professional Services Automation tools can be a costly proposition, consider the thousands of hours it would take to help your clients recover from the next Kaseya / Datto ransomware attack.
If you are a company who leverages an MSP, it is critical to evaluate your third party risk management (TPRM) program to make sure you understand the secondary and tertiary threats created by your vendors’ software and security choices. Ask your MSP if they are using SolarWinds, Kaseya, or Datto products. Better yet, maintain a program to understand all software deployed in your environment or used to store and process your customer’s data.
If you are an existing Microsoft customer, 3rd party RMM and PSA solutions can be replaced with existing tools that you probably already have licensing rights for including Intune, Windows Autopatch, Defender for Endpoints and Cloud, and Azure Lighthouse, Arc, and Sentinel.
How Agile IT Can Help
We are a non-traditional cloud managed service provider that is 100% Microsoft cloud focused and who leverage zero third party tools in managing our clients’ environments. (Disclosure, we do use third party tools like Hubspot for Marketing and Datto’s Autotask for managing support tickets (which we are currently evaluating), however we incur no fourth-party risk outside of Microsoft into our managed environments.) We not only support Microsoft customers, we also are able to support other MSPs looking to move away from increasingly risky solutions. To find out more schedule a free consultation with one of our expert cloud advisors or architects and don’t get caught out with a ”:(“.