Kaseya—the remote management software seller at the center of a ransomware operation that struck as many as 1,500 downstream networks—said it has obtained a decryptor that should successfully restore data encrypted during the Fourth of July weekend attack.
Affiliates of REvil, one of the Internet’s most cutthroat ransomware groups, exploited a critical zero-day vulnerability in Miami, Florida-based Kaseya’s VSA remote management product. The vulnerability—which Kaseya was days away from patching—allowed the ransomware operators to compromise the networks of about 60 customers. From there, the extortionists infected as many as 1,500 networks that relied on the 60 customers for services.
Finally, a universal decryptor
“We obtained the decryptor yesterday from a trusted third party and have been using it successfully on affected customers,” Dana Liedholm, senior VP of corporate marketing, wrote in an email on Thursday morning. “We are providing tech support to use the decryptor. We have a team reaching out to our customers and I don’t have more detail right now.”
In a private message, threat analyst Brett Callow of security firm Emsisoft said: “We are working with Kaseya to support their customer engagement efforts. We have confirmed the key is effective at unlocking victims and will continue to provide support to Kaseya and its customers.”
REvil had demanded as much as $70 million for a universal decryptor that would restore the data of all organizations compromised in the mass attack. Liedholm declined to say if Kaseya paid any sum in exchange for the decryption tool. Kaseya has since patched the zero-day used in the attack.
That means that, for the time being, it’s not publicly known if Kaseya paid the ransom or received it for free from either REvil, a law enforcement agency, or a private security company.
In the days following the attack, REvil’s site on the dark web, along with other infrastructure the group uses to provide technical support and process payments, suddenly went offline. The unexplained exit left victims and researchers worried that the data would remain locked up forever, since the only people with the ability to decrypt it had vanished.
Where did it come from?
REvil is one of several ransomware groups believed to operate out of Russia or another Eastern European country that was formerly part of Soviet Union. The group’s disappearance came a few days after President Joe Biden warned his Russian counterpart Vladimir Putin that, if Russia didn’t rein in those ransomware groups, the US might take unilateral action against them.
Observers have speculated since then that either Putin pressured the group to go quiet or the group, rattled by all the attention it received from the attack, decided to do so on its own.
Some of the companies victimized by the attack include Swedish grocery store chain COOP, Virginia Tech, two Maryland towns, New Zealand schools, and international textile company Miroglio Group.
REvil is also behind a crippling attack on JBS, the world’s biggest producer of meat. The breach caused JBS to temporarily close some plants.