IT management software firm Kaseya Ltd. has obtained a master decryptor for victims of the REvil ransomware attack that targeted its customers earlier this month.
Kaseya said in a security update that it has obtained the tool from a third party and has teams activity helping customers affect by the ransomware to restore their environments. The company added that there are no reports of problems or issues with the decryptor and that it is working with Emsisoft Ltd. to support customer engagement efforts.
The attack by REvil started July 2 and targeted a zero-day vulnerability in the Kaseya VSA remote management application. Exactly how many Kesaya downstream customers were affected remains unclear, but estimates have put the number at between 800 and 1500.
REvil subsequently demanded a $70 million ransom payment for a decryption key.
The attack gained the attention of the White House, who threatened to take action against Russia if the REvil attack was linked to the country. REvil is believed to operate out of Russia but is not known to be linked to the Russian government. Following the threat, REvil disappeared on July 13. Whether it was an action taken by the Russian government or that REvil decided to cut and run is unknown.
That REvil has seemingly disappeared begs the question as to how Kaseya obtained the decryption key. When asked by Bleeping Computer for details, the company declined to say whom they obtained the decryptor from. Adding fuel to the fire, Kaseya also refused to confirm or deny whether they had made a ransom payment.
Whichever way they obtained the decryptor, that Kaseya now has it will come as a relief to its customers.
“The sudden appearance of this universal key suggests that it is possible that this ransom may have been paid, although it is likely that the ransom would have been negotiated to a lower price,” Ivan Righi, cyber threat intelligence analyst at digital risk protection solutions company Digital Shadows Ltd. told SiliconANGLE. “While the master decryption key has been acquired, the attack should not be considered to be over.”
“REvil is a group that is known to exfiltrate data from victims. Therefore, the group may still have copies of data stolen from victims,” Righi explained. “The group could use this data to extort victims or auction off the data, as it has done in the past on its website Happy Blog. However, the group’s current activities are unknown since going dark on 13 July 2021, when their sites vanished and representatives got banned on prominent forums.”
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and soon to be Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
Join Our Community
We are holding our second cloud startup showcase on June 16. Click here to join the free and open Startup Showcase event.
We really want to hear from you. Thanks for taking the time to read this post. Looking forward to seeing you at the event and in theCUBE Club.