Kaseya, the vendor of remote management software at the center of a ransomware operation that hit as many as 1,500 downstream networks, said it obtained a decryptor that should successfully recover encrypted data during the July 4 weekend attack.
Subsidiaries of REvil, one of the Internet’s most killer ransomware groups, exploited a critical zero-day vulnerability in the VSA remote management product from Miami, Florida-based Kaseya. The vulnerability, which Kaseya was days away from patching, allowed the ransomware operators to compromise the networks of approximately 60 customers. From there, the blackmailers infected as many as 1,500 networks that depended on the 60 customers for their services.
Finally a universal decryptor
“We obtained the decryptor from a trusted third party yesterday and used it successfully on affected customers,” Dana Liedholm, senior VP of corporate marketing, wrote in an email Thursday morning. “We provide technical support to use the decryptor. We have a team that is contacting our customers, and I don’t have any more details right now.”
In a private message, threat analyst Brett Callow of security firm Emsisoft said: “We are working with Kaseya to support their customer engagement efforts. We have confirmed that the key is effective in unlocking victims and we will continue to provide support to Kaseya and her customers.”
REvil had demanded as much as $70 million for a universal decryptor that would recover the data of all organizations affected by the massive attack. Liedholm declined to say whether Kaseya paid any amount in exchange for the decryption tool. Kaseya has since patched the zero-day used in the attack.
For now, it is not known publicly whether Kaseya paid the ransom or received it for free from REvil, a law enforcement agency, or a private security company.
In the days following the attack, REvil’s dark web site, along with other infrastructure the group uses to provide technical support and process payments, suddenly went offline. The unexplained exit left victims and researchers worried that the data would be locked up forever, as the only people with the ability to decrypt it were gone.
Where did it come from?
REvil is one of several ransomware groups believed to be operating out of Russia or another Eastern European country that used to be part of the Soviet Union. The group’s disappearance came a few days after President Joe Biden warned his Russian counterpart Vladimir Putin that if Russia doesn’t curb those ransomware groups, the US could take unilateral action against them.
Observers have since speculated that either Putin pressured the group to go quiet or that the group, shocked by all the attention it received from the attack, decided to do so on its own.
Some of the businesses that have fallen victim to the attack include Swedish supermarket chain COOP, Virginia Tech, two towns in Maryland, schools in New Zealand and international textile company Miroglio Group.
REvil is also behind a crippling attack on JBS, the world’s largest meat producer. As a result of the infringement, JBS had to temporarily close a number of factories.