BREAKING — Kaseya has obtained the decryption key for the massive ransomware attack it suffered earlier this month, but the company won’t say how other than that it came from a “trusted third party.”
The IT management software vendor disclosed a supply-chain attack on July 2 that compromised approximately 60 of its managed service provider (MSP) customers and up to 1,500 MSP clients. Ransomware gang REvil had exploited zero-day vulnerabilities in Kaseya’s endpoint management and network monitoring product VSA, and used said exploits to send malicious updates that facilitated the enormous ransomware attack.
NBC News reporter Kevin Collier tweeted Thursday that Kaseya had obtained the decryptor key “from a trusted third-party” the day before — 19 days after the initial attack — and were working with customers.
A Kaseya spokesperson confirmed in an email to SearchSecurity that Kaseya had obtained the key from an unnamed third party and that “after having it validated, we immediately began working with our customers.” The spokesperson declined to answer questions about whether the receipt of the key involved a ransom payment made by Kaseya or a third party working on their behalf, nor whether they could share any additional information on the third party; the spokesperson cited “confidentiality reasons.”
REvil had originally demanded a $70 million ransom for a one-time, universal decryptor for all impacted victims.
Following the attack, Kaseya struggled to get VSA back online. In part due to the recovery process and in part to harden the product’s security before relaunch, the vendor missed its planned July 7 window for redeployment and ultimately re-released VSA, along with on-premises and SaaS patches, on July 11. Kaseya CEO Fred Voccola called the delay “probably the hardest decision I’ve had to make in my career.”
A complete history of updates is available on Kaseya’s attack information page.
Reporting in progress — full story to follow.
Alexander Culafi is a writer, journalist and podcaster based in Boston.