For cybersecurity workers, 2021 was intense. There was the Russian-based ransomware attack on Colonial Pipeline, a key transit system for U.S. oil, that set off panic-buying at the gas pumps. Meanwhile, major U.S. meat packer JBS was shut down by yet another attack. And then there was the U.S. federal government, which suffered one of its worst cyber espionage breaches ever, due to aftershocks created by the hacking of software maker SolarWinds.
At the time, FBI agent Jason Manar was just four years shy of retirement. After nearly 16 years of service, he said he had seen “the good, the bad, and the ugly…and everything in between.”
Like many in his field, Jason Manar developed a passion for cybersecurity almost by accident. It began with tackling street crime at the FBI, where he rose the cyber ranks, until he left the bureau in 2021 to become the chief information and security officer at Kaseya, among world’s largest remote monitoring and software management companies.
Manar’s public service started as a Kentucky State Trooper before moving to the FBI, eventually joining the cyber division that focuses on criminal threats to the U.S. During that time, he worked with victims of hackings, from mom and pop shops all the way to Fortune 50 companies.
“I fell in love with the incident response portion, with the cat and mouse game that there constantly was with the adversaries,” Manar said.
One of his last investigations on the physical side of security involved a gang that was recruiting struggling young people into scamming businesses through spam email. The gang found it was more profitable to target businesses and pursue digital crime than to sell drugs on the street.
“At the end of the day, gangs are just typically trying to finance their organization. It doesn’t matter where their illicit funds come from,” Manar said.
REvil was already a well-known and profitable ransomware-as-a-service operation by the time it targeted Kaseya in an attack on July 2, 2021. By selling ready-to-use encryption malware to clients, REvil collected a commission when its criminal customers, who lacked the technical chops to build the malicious code themselves, used its software. In the process REvil collected millions of dollars. It was just one of many ransomware gangs that were increasingly targeting critical systems for financial rewards.
“It was a year of ransomware. It was insane,” Manar said.
From FBI to Kaseya
Kaseya sells remote monitoring and management software to companies that provide IT services to small and medium-sized businesses. REvil took advantage of Kaseya’s access as a third-party software and infiltrated the company through multiple vulnerabilities on a web interface in one of its remote software products.
The ransomware attack quickly abused Kaseya’s vulnerable product to infect more than 1,500 businesses, whose files were locked up by malware. REvil demanded $70 million in cryptocurrency to release the decryption key. Since Kaseya’s customers provided technology and cybersecurity services to tens of thousands of companies, it was under intense pressure to meet REvil’s demands for a payoff.
Stationed in Miami as the cybercrime supervisory special agent, Manar was in the middle of the fray as he led the FBI’s relationship with Kaseya during the attack. He had to collect and constantly relay information related to the attack to help potential victims—all on a global scale. It was an entire orchestra of response and recovery efforts with the ultimate goal of finding and prosecuting the people behind it. Any wrong note could lead to more victims, more damage, or the perpetrators getting away with the crime.
Manar said that it “was constantly, quite frankly, weighing.” When the FBI used undisclosed means to finally get the decryptor key that could release the locked files of victims worldwide, it was a big win. However, the FBI had to weigh publicly acknowledging that victory against the harm it could cause to any future prosecution.
“When you have a decryptor key, you usually get that from a very specific and localized place,” Manar said. “As soon as you put that kind of information out there, the adversary is going to know where you got that, they’re going to know how you got that and, quite frankly, you’re going to lose a lot of visibility in that case.”
He said it was largely because of Kasaya’s willingness to go above and beyond in terms of providing information that the FBI was able to get the decryptor within a week. In all, the ransomware attack had hit 57 of Kaseya’s customers, in addition to the more than 1,500 businesses.
Following the attack, Manar was promoted to assistant special agent in charge and moved to San Diego. But the change would also take him out of cybersecurity and into the world of counterintelligence and counterterrorism.
Being a self-described “glutton for punishment,” Manar decided to leave the FBI and become Kasaya’s CISO. During his time working the cyber office at the FBI, Manar would brief boards, talk to Fortune 500 companies, and see the struggles CISOs have in getting their employers to prioritize security. He also saw the result of a lack of security culture.
At the time of the attack, Kaseya, founded in 2001, did not have a centralized cybersecurity office. He became the company’s first CISO.
“I really wanted to find the answer of how you create a cybersecurity culture from the ground up. Over the last three years, that’s what I’ve endeavored to do here at Kaseya.” Manar said. “I am that purveyor of risk and what that risk is.”