Kaseya said that it has obtained a decryptor after the REvil ransomware attack left the remote management software seller in shambles. As many as 1500 downstream networks were affected during the Fourth of July weekend.
REvil is one of the most brutal ransomware groups in the world and it is believed that affiliates of the group exploited critical zero-day flaws in Kaseya’s VSA remote management program.
Kaseya said that it was days from patching the vulnerability but was beaten to the punch by REvil, which infected the networks of about 60 customers.
The ransomware cascades
The problem with something like this is that it does not just affect the initial targets and will cascade down to other downstream customers. The 60 infected networks infected other networks relying on them, which is why the total is high.
Dana Leidholm, the senior Veep of corporate marketing, wrote in an email saying that Kaseya obtained the decryptor from a trusted third party, and has been using it successfully on affected networks.
Brett Callow, of security firm Emsisoft, said in a private message that his firm is working with Kaseya to support customer engagement after it was confirmed the key works.
Did Kaseya pay for the key?
At this point, it is unclear whether it did. However, we know that REvil asked for as much as $70 million to provide a universal decryptor that they claimed could unlock all affected networks.
In the days that followed the attack, REvil’s site on the dark web, along with the infrastructure it uses for payment processing and technical support went offline. The move worried affected customers since the only people with the key disappeared.
Since REvil is possibly Russian or from an Eastern European country that was part of the former Soviet Union, it is thought that Biden’s pressure on Putin to rein in his hacker groups may have influenced the disappearance of REvil.