Information technology business Kaseya has obtained a universal decryptor key following a ransomware attack earlier this month. The decryption tool has proven 100% effective at decrypting files that were fully encrypted in the attack.
Information technology business Kaseya has obtained a universal decryptor key following a ransomware attack earlier this month. The decryption tool has proven 100% effective at decrypting files that were fully encrypted in the attack.
Russian cyber gang REvil was behind the cyberattack that occurred over the American Independence Day weekend.
“On Friday (02.07.21), we launched an attack on MSP providers,” the initial ransom demand read. “More than a million systems were infected. If anybody wants to negotiate about a universal decryptor, our price is $70,000,000 in BTC.”
Working with government agencies and several cybersecurity firms, Kaseya came up with a decryptor key within three weeks after using various patches to manage the problem.
“When Kaseya obtained the decryptor last week, we moved as quickly as possible to safely use the decryptor to help our customers recover their encrypted data,” the Florida-based business said on Monday. Kaseya is encouraging all impacted customers who haven’t already contacted them to obtain the decryptor key.
Kaseya specialises in IT solutions developed for MSP and enterprise clients to manage infrastructure remotely. While very few of Kaseya’s direct customers got caught up in the cyberattack, approximately 30 MSP customers were, and the impact filtered through to an estimated 1,500 indirect customers.
Most moved quickly to access the decryptor key despite having to sign a non-disclosure agreement.
The FBI called the cyberattack a “supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers.”
The initial ransom demand was US$70 million, later lowered it to $50 million. But by mid-July, REvil stopped communicating. Some commentators speculated US government agencies successfully disrupted the online criminal gang. There is also the suggestion the Russian Government put pressure on REvil to go quiet in the face of global publicity.
Unlike some recent high profile ransomware victims, Kaseya confirmed on Monday it did not pay any ransom.
“Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack. We are confirming in no uncertain terms that Kaseya did not pay a ransom, either directly or indirectly through a third party, to obtain the decryptor.”
Cybersecurity firm Huntress helped investigate the Kaseya attack. They say the attackers exploited an arbitrary file upload and code injection vulnerability and used an authentication bypass to access VSA servers at MSPs worldwide.
Kaseya has said they obtained the decryptor key from a “trusted third party,” declining to name that third party.
“We had the tool validated by an additional third party and have begun releasing it to our customers affected,” a Kaseya spokesperson said this week.
Software firm Emsisoft later confirmed they validated the decryptor key and continue to work with Kaseya to distribute it. On Monday, Emsisoft CTO Fabian Wosar noted;
“We have confirmed the key is effective at unlocking victims and will continue to provide support to Kaseya and its customers.”
Kaseya is making the decryptor key available to all customers who request it.
