An MSP Hero: Catching a Ransomware Cyber Criminal
In 2021, Progressive Computing was one of many MSPs hit by the July 2nd REvil Sodinokibi ransomware attack. Luckily, Progressive Computing was already an Axcient partner and restored 100% of its data—including 2,500 endpoints with 250 servers for 80 clients across 4 time zones—in just 17 days with zero data loss.
Relying on x360Recover for comprehensive business continuity and disaster recovery (BCDR), the Axcient support team, and the MSP community, Progressive Computing survived the total ransomware takedown. Almost three years after the attack, Robert Cioffi, the COO and Co-Founder of Progressive Computing, met one of his attackers in court.
Kaseya Attacker Sentenced: 13 Years + $16 Million in Restitution
Updated July 1, 2024
On Wednesday, May 1, 2024—almost three years after the July 2, 2021 REvil Sodinokibi ransomware attack—one of the bad actors was sentenced to 13 years and seven months in prison. Additionally, he’s been ordered to pay over $16 million in restitution for his role in over 2,500 ransomware attacks and demanding more than $700 million in ransom payments.
Progressive Computing was one of many MSPs hit during the extended 4th of July weekend in 2021. Luckily, Progressive Computing was already an Axcient partner and restored 100% of its data—including 2,500 endpoints with 250 servers for 80 clients across 4 time zones—in just 17 days with zero data loss. Using x360Recover for comprehensive business continuity and disaster recovery (BCDR), the Axcient support team, and the MSP community, Progressive Computing survived the attack.
Since the attack, Robert Cioffi, Progressive Computing’s COO and Co-Founder, has used his nightmare story to warn other MSPs about complete ransomware protection. After years of managing restoration, watching the case slowly move through the courts, and reading his victim impact statement in January 2024, Cioffi attended what he calls “the day justice was served.”
Table of Contents
A Quick Review of the Kaseya Ransomware Attack
Whether you were a victim, helped other victims, or were up on the latest cybersecurity risks (as MSPs should be), every small-to-medium-sized business (SMB) was now susceptible to a new threat vector: supply chains. In this case, the ransomware infiltrated Progressive Computing’s RMM platform through a Kaseya flaw, taking down the MSP and its clients.
The Friday before a long 4th of July weekend was when bad actors capitalized on holiday absences and distracted employees for a massive ransomware attack targeting MSPs. The supply chain attack, carried out by the REvil (Ransomware Evil, a.k.a. Sodinokibi) attack group, caused widespread downtime for more than 1,000 different companies. Hackers exploited a zero-day vulnerability in Kaseya’s Virtual Systems Administrator (VSA) discovered months before the attack.
Despite being fully patched on the latest version of the product and following all recommended security protocols for configuration, the bad guys bypassed multifactor authentication (MFA) and all administrator-level passwords. They walked right through the back door into Progressive Computing’s system, uploaded the ransomware as an executable, and crafted a script to download and run on every endpoint managed – 2,500 in total with 250 servers and over 2,200 PCs. Just like that, everything that was online was encrypted.
How Progressive Computing Recovered
Luckily, Progressive Computing already used Axcient x360Recover for business continuity and disaster recovery (BCDR). And, by pure chance, Cioffi had signed his cybersecurity insurance coverage just four days before the attack. Armed with a robust and reliable solution and the guidance of its insurance provider, Progressive Computing determined the best process for total recovery. After pinpointing 10:49 a.m. as the time the attack began, technicians used Axcient’s 15-minute recovery point objective (RPO) to restore servers from 8 a.m. on the day of the attack.
While recovery was straightforward, the attack surface included all of Progressive Computing’s clients and the MSP itself. Essentially, Progressive Computing needed to triple its workforce overnight. With almost 99% penetration, everything must be completely destroyed and installed from scratch. This is where Cioffi’s years of investment in the MSP community through MSP peer groups and connections saved the day. Within days of the attack, MSP leaders from Kansas and California came to New York with their engineers ready to bulk up the Progressive Computing team.
“Axcient really stepped up. Not just as a technological solution but as a company that showed great care and compassion when we were in our darkest hour. …Not only did Axcient’s backup and disaster recovery technology work flawlessly for us, but the support staff that helped us get through that process was just amazing.”
Inspired by the channel’s response to Progressive Computing’s attack, Cioffi did the opposite of what many ransomware victims do – he publicized the details to help other MSPs. Cioffi says he’s paying it forward and hopes other MSPs will do the same to reinforce the importance of cybersecurity readiness, proactive protections, and comprehensive BCDR. Hear more from Cioffi directly, take notes from his experience, and avoid overlooking vulnerabilities with the following resources produced in partnership with Progressive Computing.
- Case Study: MSP Progressive Computing Restores 100% of Data Following Kaseya Attack
- Blog: Ransomware Recovery Guide for MSPs
- Free eBook: Surviving a Total Ransomware Takedown – An MSP Quick Guide for Overcoming Today’s Cyberattacks
- Discussion with Robert Cioffi: MSP Xperience Lounge: Unmasking Cybercriminals
Facing the Cybercriminal in Court
It’s been nearly three years since the attack, almost two years since Kaseya acquired Datto, and over two years since the U.S. Department of Justice arrested and charged two men for deploying the Sodinokibi/REvil ransomware attack.
At the end of 2021, an indictment charged Yaroslav Vasinskyi, a 22-year-old Ukrainian national, with conspiracy to commit fraud and related activity in connection with computers, multiple counts of damage to protected computers, and conspiracy to commit money laundering. He faced a maximum penalty of 115 to 145 years in prison if convicted on all counts.
Vasinskyi was arrested in Poland in October 2021 and extradited to Dallas, Texas, to await trial. Cioffi followed the case as it slowly waded through the court system. As a victim, he was invited to attend the sentencing hearing and read a victim impact statement to the judge. Cioffi accepted, wanting to serve as a voice for MSPs and SMBs in the conviction of cyber criminals. Accompanied by some local Axcient team members and other Progressive Computing supporters, Cioffi traveled to Dallas to read his statement in January 2024.
Cioffi was the only victim at the hearing, where Vasinskyi pleaded guilty to nine out of ten charges. Attempting to influence the judge’s discretion over sentencing and future similar cases, Cioffi represented the MSPs and SMBs often overlooked during these attacks, with headlines focusing on big brand names instead. Cioffi says:
“I felt it was my mission to jam the flag into the hilltop and say, ‘no more!’ The MSP and SMB community has a voice, and we’re saying, ‘We’re pissed, and we’re not going to be faceless, nameless victims anymore.’ It’s important for the record to reflect what happened and how it affected us emotionally, psychologically, and financially.”
The Victorious Sentencing
On May 1, 2024, the Judge who heard Cioffi’s victim impact statement sentenced Vasinskyi to 13 years and seven months in prison, plus over $16 million in restitution. Armed with his supporters from the MSP community, including Axcient team members, Cioffi attended the sentencing in person to witness the end of this years-long struggle. At the same time, he questioned, “Is there closure?” His response:
“Don’t think so linearly. This story has many branches and intersections. Think of this as simply one limb that has been cauterized. There are other chapters that may never end or heal. I want to remind you all that our collective work remains unfinished, but now you can proceed with greater hope and perhaps a little victory in your heart.”
His statement continues, encouraging the channel to fight cybercrime at a Federal level and proclaiming this case a victory:
“[It’s a] massive victory for all of us: the MSP community, the countless businesses we serve, and our national interests. It tells the world that although you may be hiding behind [the] protective borders of enemy states, you can still be held accountable for your crimes. So, kudos to the Department of Justice and the FBI for their unwavering work and professionalism in seeking justice. I, for one, feel a bit relieved knowing a victim can have his say in his court and be witnessed to seeing his attacker pay the price.”
Energizing other MSPs to fight back, Cioffi continues to tell his story as a cautionary and inspiring tale for other MSPs and SMBs. He’s teamed up with CompTIA as the chairperson for the free CompTIA Emergency Response Team (ERT), comprised of MSP volunteers experienced in handling security incidents. MSPs can call on them for guidance and advice during security incidents or service disruptions.
Hear Directly from Cioffi to Learn More
Head to the Axcient MSP Xperience Lounge on LinkedIn for our episode with Robert Cioffi, Unmasking Cybercriminals. You’ll see a candid conversation between Cioffi and Axcient’s VP of Marketing, Bryce Roberts. Learn more about how Cioffi and Progressive Computing are helping the community unmask more cybercriminals for their attacks on MSPs and SMBs.
If you want to test the x360Recover solution that Cioffi used to restore protected systems 100%, with zero data loss, select an option below:
You can also check out a recorded demo of x360Recover to see how the product works.
Author
Related posts
How well could you sleep with reliable cloud-based backups and recovery?
Take a deep dive into Axcient’s proprietary, automated security features to see how we’re ensuring uninterrupted business continuity — no matter what:
