COVID-19 Update

Kaseya Obtains Decryptor Key for Recent Ransomware Attacks

The IT enterprise firm obtained the universal decryptor key following the REvil attacks that took place on July 3.

Leave a Comment

After being hit by a significant cyberattack over the Fourth of July weekend, IT enterprise firm Kaseya says that it has obtained a universal decryptor key for victims of the REvil ransomware attacks.

Kaseya Senior VP of Marketing Dana Liedholm said the decryptor key the company obtained does work but would not reveal any details about how or where the key was obtained but did reveal that it came from a trusted third party.

According to a TechRepublic article, the company has been working to help victims of the ransomware attack and announced that they would be contacted by Kaseya representatives.

“We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor,” the company says and as reported in the TechRepublic article. “Kaseya is working with Emsisoft to support our customer engagement efforts, and Emsisoft has confirmed the key is effective at unlocking victims.”

Related: Report: Six Ransomware Gangs Bank Up To $45 Million So Far This Year

Ivan Righi, a cyber threat intelligence analyst at Digital Studios, claims that the sudden appearance of the decryptor key likely means that the ransom requested from the attack was paid but was probably negotiated to a lower price.

Erich Kron, a security awareness advocate at KnowBe4, called the obtaining of the decryptor key good news but also pointed out that there is still a lot of damage that has been done and the victims are still recovering from the attack.

“Even with the release of the universal decryptor, organizations that had data exfiltrated as part of the ransomware infection, a common occurrence with REvil and modern ransomware, still have to deal with the impact of a data breach and all that entails,” Kron says in the TechRepublic article. “For regulated industries, this could be very costly.”

The attack affected more than 1,000 organizations that use Kaseya’s VSA product which was compromised along with the VSA servers to its customers.

REvil claimed to have infected more that one million systems and later offered to post a universal decryptor key that would allow the companies to recover their files in exchange for $70 million worth of bitcoin.

Since the attack, REvil has mysteriously disappeared from public view with its Dark Web sites and blog offline and the infrastructure through which victims would make payments no longer available.

“While the master decryption key has been acquired, the attack should not be considered to be over,” Righi cautions in the TechRepublic article. “REvil is a group that is known to exfiltrate data from victims. Therefore, the group may still have copies of data stolen from victims. The group could use this data to extort victims or auction off the data as it has done in the past on its website Happy Blog.”

Kaseya has been trying to recover since the attack by releasing patches to fix the security bug for all VSA, but despite all of this, the threat of ransomware attacks remains as strong as ever.