Kaseya obtains universal decryptor key for recent REvil ransomware attacks
A company spokesperson confirmed that the key works but won’t reveal the source, saying only that it came from a trusted third party.
Hit by a severe cyberattack earlier this month, IT enterprise firm Kaseya said on Thursday that it obtained a universal decryptor key for recent victims of the REvil ransomware. Kaseya Senior VP of corporate marketing Dana Liedholm said the company obtained the key on Wednesday and that it does work. Liedholm wouldn’t reveal any details as to how or where it was obtained other than to say that it came from a trusted third party.
SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)
In an update to its ongoing post on the recent cyberattack, Kaseya confirmed receiving the decryptor key. The company said it was working to help victims affected by the ransomware attack and that customers impacted by the incident would be contacted by Kaseya representatives.
“We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor,” the company said. “Kaseya is working with Emsisoft to support our customer engagement efforts, and Emsisoft has confirmed the key is effective at unlocking victims.”
Though Kaseya declined to offer details on how and where it obtained the key, the sudden appearance of a universal key suggests that the ransom may have been paid, according to Ivan Righi, cyber threat intelligence analyst at Digital Shadows. However, Righi said it’s likely the ransom would have been negotiated to a lower price.
Erich Kron, security awareness advocate at KnowBe4, called the development great news for the victims of the attack but pointed out that much damage had already been done in terms of downtime and recovery costs. Though the data may get decrypted, organizations must still restore the files as well as their systems and devices.
“Even with the release of the universal decryptor, organizations that had data exfiltrated as part of the ransomware infection, a common occurrence with REvil and modern ransomware, still have to deal with the impact of a data breach and all that entails,” Kron said. “For regulated industries, this could be very costly.”
SEE: Kaseya attack shows how third-party software is the perfect delivery method for ransomware (TechRepublic)
On July 3, Kaseya revealed that it had been hit by a successful ransomware attack against its VSA product, a program used by Managed Service Providers to remotely monitor and administer IT services for their customers. Taking responsibility for the incident, the REvil ransomware group pulled off the attack by exploiting a zero-day vulnerability in the VSA program, delivering the malicious payload via a phony software update.
The attack had a ripple effect across more than 1,000 organizations that use Kaseya’s product. As Kaseya VSA product was compromised so were the VSA servers of its customers. Through this chain reaction, REvil was able to infect the systems and decrypt files of these many customers, thus holding the data of all of them for ransom.
In its own “Happy Blog,” REvil claimed that more than 1 million systems were infected, according to security firm Sophos. The group also came up with an intriguing offer for all victims of the attack. In exchange for $70 million worth of bitcoin, REvil would post a universal decryptor that would allow all affected companies to recover their files.
One natural theory is that Kaseya took REvil up on its offer and coughed up the $70 million for the decryptor key. However, the company said that the key came from a trusted third party, which by definition would eliminate REvil. And the status of REvil itself is now a mystery.
Last week, the ransomware group seemed to disappear from public view. REvil’s Dark Web sites suddenly went offline. Its Happy Blog ceased to exist. Even the infrastructure through which victims would make payments was no longer accessible.
Analysts and industry experts have speculated as to the cause of the vanishing act. Some believe the group is laying low after its recent attack spree. Others think REvil may have disbanded with its members likely to resurface elsewhere. And some wonder whether the U.S. government or other entities might have retaliated against the group, forcing it off the grid.
SEE: Kaseya attack: How ransomware attacks are like startups and what we need to do about that (TechRepublic)
“While the master decryption key has been acquired, the attack should not be considered to be over,” Righi cautioned. “REvil is a group that is known to exfiltrate data from victims. Therefore, the group may still have copies of data stolen from victims. The group could use this data to extort victims or auction off the data as it has done in the past on its website Happy Blog. However, the group’s current activities are unknown since going dark on July 13, 2021, when their sites vanished and representatives got banned on prominent forums.”
In the meantime, Kaseya remains busy trying to recover from the attack. On July 11, the company released a patch to fix the security bug for all VSA on-premises customers. Since then, Kaseya has deployed more patches to eliminate additional bugs and address functionality issues caused by the enhanced security put in place following the incident. But the threat of ransomware remains as strong as ever.
“This should be used as a lesson for organizations of all sizes, hopefully resulting in better protections within organizations and MSPs alike,” Kron said.
“Whenever an organization trusts external entities with the keys to their kingdom, they are undertaking a serious risk,” Kron added. “Likewise, when MSPs are given this access, it is imperative that they aggressively protect their customers. For organizations that have been taken down by ransomware due to the lack of backups, or if their backups were encrypted, leaving them vulnerable, this is a great time to have some hard discussions with their service providers in an effort to eliminate the threat in the future.”