Kaseya denies paying ransom for universal decryptor–no comment on NDA

Get a free Techzine subscription!

On 21st July, Software Company Kaseya denied having paid any ransom for a universal decryptor tool. Following many days of speculation, the company set the record straight regarding news that it had paid REvil a handsome amount it asked for.

The events that transpired

This comes after it was reported that Kaseya had obtained a universal decryption tool from a ‘third-party’ to help the ransomware attack victims get their data back.

Working in collaboration with security company Emsisoft, Kaseya managed to obtain a tool that would allow all of its customers to access the data they had been locked out of.

As announced in a statement by Kaseya, REvil had demanded $70 million to return the data it had stolen. However, this statement goes on to say that Kaseya has not paid any of this to the ransomware group.

Before REvil went dark on 13th July, they had lowered their demand from $70 million to $50 million.

What did Kaseya do?

According to what Kaseya says, they did not bow down to these demands. Instead, using a third party, they were able to get their hands on a universal decryption tool.

“We are confirming in no uncertain terms that Kaseya did not pay a ransom — either directly or indirectly through a third party — to obtain the decryptor,” Kaseya’s statement said. 

The statement goes on to say that after consultation with their legal advisors, Kaseya decided not to negotiate with REvil and stand by this decision.

Kaseya has been inviting the attack victims to come forward to help them get back their stolen data. This was a welcome step by all those affected, but there was a catch – they had to sign an NDA.

NDA – why?

As confirmed by CNN, Kaseya was indeed asking its customers to sign the non-disclosure agreement.

Customers complained that Kaseya had asked them to sign an NDA before it would give them access to the decryptor. This might seem like a strange step, but there is some logic and reason to it.

According to former White House Chief Information Officer Theresa Peyton, while it is odd that Kaseya asked its customers to sign an NDA, this is undoubtedly not something unheard of.

“When a cyber-incident impacts multiple victims in a supply chain attack, sometimes the legal counsel will ask victims to sign an NDA to ensure that the fix for the problem does not get disclosed publicly,” Payton said. 

Is it good or bad?

She adds that there are probably no ill-intentions behind this, but if people still feel the need to have more clarity, it’s best if they consult their lawyers. There is a very high chance that it is for the safety of customer data, but if it isn’t and is instead a way to avoid a lawsuit, this would certainly be unethical.

There is no way for us to confirm the reason behind the NDA, but regardless, it is of benefit to Kaseya. Being a victim of a cyber-attack is bad enough, but having details of the investigation leaked to the media would be a PR disaster for the company and its stakeholders.