Zffoto - stock.adobe.com
Kaseya, the IT services supplier that was the subject of a REvil/Sodinokibi ransomware attack orchestrated through a series of vulnerabilities in its VSA product earlier in July 2021, says it has managed to obtain a universal decryptor key to enable ransomed customers to unlock their files for free.
The firm took possession of the decyption tool on 21 July and is currently contacting customers whose systems were locked by the REvil syndicate in order to remediate them.
“We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor,” Kaseya said in a statement.
“Kaseya is working with Emsisoft to support our customer engagement efforts, and Emsisoft has confirmed the key is effective at unlocking victims.”
The initial attack, which took place on Friday 2 July, immediately before the Independence Day holiday weekend in the US, saw about 60 managed service providers (MSPs) that use VSA encrypted, with significant impacts on thousands of downstream customers, many of them small businesses.
The REvil ransomware syndicate behind the attack had demanded a total of $70m to provide a universal decryptor, but a little over a week later, a significant chunk of the group’s infrastructure was taken offline for reasons that have still not been established.
This, coupled with the insistence of Kaseya CEO Fred Voccola that the company would not negotiate with its attackers in any circumstances, and the use of the term “trusted third party” would seem, at the time of writing, to suggest that Kaseya has not paid a ransom.
Computer Weekly’s sister title SearchSecurity asked Kaseya whether or not receipt of the key was linked to a ransom payment made either by the firm itself, or by a third party, but Kaseya declined to provide further details.
This has led to speculation in the security community that the key was handed over by a disgruntled REvil affiliate, that the gang has been pressured by the Russian government to hand the key over to law enforcement, or that it has been subject to an as-yet undisclosed action by the US authorities.
Eset’s Jake Moore said it was indeed likely that one of these scenarios was the most probable. “Decryption tools either mean the company has paid the ransom, or governments have got involved in the discovery,” he said. “It is usually very rare to locate a tool to so simply fix the problems, but it can be the only hope for affected organisations.
“With 19 days since the attack, those companies affected may have dodged a huge bullet with this decryptor and the sickening feeling of the attack may now bolster their future security.”
Timeline of the Kaseya incident
- Two days after one of the largest ransomware attacks in history by the REvil/Sodinokibi gang, the security community is assessing its next moves, while over 1,000 victims remain in limbo.
- Kaseya has revised upward the number of managed service providers compromised by the REvil ransomware gang in a supply chain attack at the weekend.
- Malwarebytes researchers highlight new spam campaign targeting businesses impacted by the ongoing Kaseya REvil ransomware incident.
- CEO of Kaseya apologises after pushing back the restoration of the firm’s VSA service following a REvil ransomware attack.
- MSP specialist Kaseya sets asides millions to help those affected by the ransomware attack that hit the firm five days ago.
- Kaseya has successfully deployed a patch to its ransomware-hit VSA product as per a revised schedule, and customers are beginning to come back online.