Tidying the loose ends before the whole thing unravels
In the spring of 2021, Dutch Institute for Vulnerability Disclosure (DIVD) researcher Wietse Boonstra quietly uncovered seven critical flaws in Kaseya’s widely used IT management software. DIVD warned the company within days, flagging more than 2,200 vulnerable systems across the globe. Weeks later, three flaws remained unpatched—and the REvil ransomware gang pounced. Overnight, some 1,500 organisations were paralysed, from supermarkets in Sweden to schools in New Zealand. This was not an isolated close call. In a 2023 study with the University of Twente, DIVD found that less than half of Dutch municipalities acted promptly when notified of exploitable flaws in their email systems. In some cases, local authorities ignored the warnings entirely. ...