Kaseya mysteriously obtains master REvil decryptor from ‘third party’

The company is now working to restore access to affected customers

Kaseya has obtained a universal decryption key to restore access to its networks as well as those of all businesses affected by a devastating ransomware attack spearheaded by REvil.

The company is distributing the master decryptor to customers affected by the attack earlier this month, as well as the customers of many managed service providers (MSPs) that used the compromised VSA platform. In total, the supply chain attack affected roughly 50 Kaseya customers directly, and up to 1,500 organisations in total.

Kaseya claims that it obtained the decryption key “from a third party”, although it didn’t reveal the precise arrangements, the identity of this entity, nor whether any money changed hands at any stage.

“We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor,” the company said in an update.

“Kaseya is working with Emsisoft to support our customer engagement efforts, and Emsisoft has confirmed the key is effective at unlocking victims.”

REvil previously demanded a ransom of $70 million for access to the universal decryptor, with the group claiming it’d infected “more than a million systems”. The gang, in addition, demanded a lesser sum of $44,999 from its victims if their endpoint had been hit, according to Sophos.

Related Resource

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

2021 state of email security report: Ransomware on the rise - whitepaper from MimecastFree download

REvil then vanished from the internet without a trace roughly ten days after the attack, with the security industry speculating this could be due to an internal fallout, action by law enforcement, or some form of exit scam. The group hasn’t yet re-emerged.

Kaseya first announced that its systems had been compromised after the group exploited flaws in its cloud-based IT management and remote monitoring product VSA.

REvil exploited a zero-day vulnerability to remotely access internet-facing servers, targeting the platform because a key functionality of VSA is to push software and automated IT tasks on request, without any checks. This served as an ideal route to target the clients of Kaseya's customers.

Kaseya had already been working on fixes for the targeted vulnerabilities, according to security DIVD CSIRT, although the hackers were able to exploit them before patches were finalised and pushed out.

The company eventually fixed the three flaws exploited as part of the attack a few days after the incident, as part of a wider update fixing seven vulnerabilities in total.

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

Improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Recommended

Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021
US and Israel join forces to fight ransomware
ransomware

US and Israel join forces to fight ransomware

15 Nov 2021
Almost 70% of CISOs expect a ransomware attack
ransomware

Almost 70% of CISOs expect a ransomware attack

19 Oct 2021

Most Popular

Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022
Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
How to speed up Windows 11
Microsoft Windows

How to speed up Windows 11

7 Jan 2022