The decryptor vendor will work closely with customers affected by this July’s outbreak of ransomware attacks to help recover their files. However, it is uncertain if Kaseya paid the ransom demanded by hackers.
Worldwide Outbreak Of Ransomware Attacks in July this year
The early July worldwide spate of cyberattacks affected at least 60 of Kaseya’s customers, locking up their systems.
The attacks leveraged the now-patched zero-days in the Kaseya Virtual System/Server Administrator (VSA) platform.
The affected customers in 22 countries were using the on-premises platform version. Many of these customers are managed service providers (MSPs) who use VSA to supervise and manage other businesses’ networks.
In addition to the 60 direct customers, approximately 1,500 downstream customers of those MSPs were also compromised.
Kaseya’s customers use its VSA software to supervise and manage network and software infrastructure remotely.
Hackers Demanded a Ransom of $70 Million in Exchange for the Decryptor
REvil ransomware hacking group was behind the attack that hit Kaseya and demanded a jaw-dropping $70 million for a universal public decryptor that will unlock the data of all affected victims. However, this price was allegedly lowered to $50 million after negotiations, making it the highest ransomware payout ever if the payment was made, after all.
On Thursday afternoon, the decryptor vendor announced that it had acquired the key “through a third party”. However, whether the ransom was paid or not remains unclear.
“We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor,” it said. “Kaseya is working with Emsisoft to support our customer engagement efforts, and Emsisoft has confirmed the key is effective at unlocking victims…Customers who have been impacted by the ransomware will be contacted by Kaseya representatives.”
REvil Vanished on July 13
The cybercriminal organization REvil disappeared altogether on July 13, when its sites evaporated from the Internet, and its representatives were banned on prominent underground forums, only deepening the mystery.
Emsisoft hasn’t released any more details: “We are working with Kaseya to support their customer engagement efforts,” Emsisoft said in a statement given to Threatpost. “We have confirmed the key is effective at unlocking victims and will continue to provide support to Kaseya and its customers.”
“The sudden appearance of this universal key suggests that it is possible that this ransom may have been paid, although it is likely that the ransom would have been negotiated to a lower price,” Ivan Righi, cyber-threat intelligence analyst at Digital Shadows, said via email.
Decryption Doesn’t Mean the Nightmare is Over
Although the master decryptor key has been obtained, the attack might not be over, researchers warned. REvil is known for its double-extortion attacks, where it steals the company’s data additionally to being hit by ransomware.
“The group may still have copies of data stolen from victims,” Righi said. “The group could use this data to extort victims or auction off the data, as it has done in the past on its website Happy Blog.”
Security awareness advocate at KnowBe4, Erich Kron, noted that resolving the problems caused by the attack will take more than just applying the decryptor to files.
“Significant damage has been done already in the way of downtime and recovery costs, both currently and in the future,” he noted via email. “Even with the data decrypted, there are significant costs associated with restoring devices and data. Simply decrypting the data does not resolve issues that remain, such as potentially installed back doors the attackers could use at a later date. This means there is still a lot of work ahead.”
Technical director of the CTO team at Vectra, Tim Wade, warned that there could be other unpleasant surprises for victims after the attacks.
“From a distance, the emergence of a master key may appear more comforting than it should,” he warned. “The value of accelerating the restoration of data and services shouldn’t be trivialized, but it won’t exactly erase the already extensive cost of these attacks. And this is a cost carried both in terms of the historic disruption, but also given the proclivity of these criminal operators to leave lingering backdoors, the ongoing need to rebuild compromised infrastructure into a clean, trustworthy state. So yes, sidestepping how this key may have been acquired, it may have some positive outcomes but as they say – it isn’t over ’til it’s over.”
As cyber threats never cease to evolve, and your company could be next on the target list, why postpone training and educating your employees on the online dangers?