Zffoto - stock.adobe.com

Kaseya obtains universal ransomware decryptor

Kaseya says it obtained a ransomware decryptor key from a trusted third party, but there is no word on whether a ransom was paid

Kaseya, the IT services supplier that was the subject of a REvil/Sodinokibi ransomware attack orchestrated through a series of vulnerabilities in its VSA product earlier in July 2021, says it has managed to obtain a universal decryptor key to enable ransomed customers to unlock their files for free.

The firm took possession of the decyption tool on 21 July and is currently contacting customers whose systems were locked by the REvil syndicate in order to remediate them.

“We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor,” Kaseya said in a statement.

“Kaseya is working with Emsisoft to support our customer engagement efforts, and Emsisoft has confirmed the key is effective at unlocking victims.”

The initial attack, which took place on Friday 2 July, immediately before the Independence Day holiday weekend in the US, saw about 60 managed service providers (MSPs) that use VSA encrypted, with significant impacts on thousands of downstream customers, many of them small businesses.

The REvil ransomware syndicate behind the attack had demanded a total of $70m to provide a universal decryptor, but a little over a week later, a significant chunk of the group’s infrastructure was taken offline for reasons that have still not been established.

This, coupled with the insistence of Kaseya CEO Fred Voccola that the company would not negotiate with its attackers in any circumstances, and the use of the term “trusted third party” would seem, at the time of writing, to suggest that Kaseya has not paid a ransom.

Computer Weekly’s sister title SearchSecurity asked Kaseya whether or not receipt of the key was linked to a ransom payment made either by the firm itself, or by a third party, but Kaseya declined to provide further details.

This has led to speculation in the security community that the key was handed over by a disgruntled REvil affiliate, that the gang has been pressured by the Russian government to hand the key over to law enforcement, or that it has been subject to an as-yet undisclosed action by the US authorities.

Eset’s Jake Moore said it was indeed likely that one of these scenarios was the most probable. “Decryption tools either mean the company has paid the ransom, or governments have got involved in the discovery,” he said. “It is usually very rare to locate a tool to so simply fix the problems, but it can be the only hope for affected organisations.

“With 19 days since the attack, those companies affected may have dodged a huge bullet with this decryptor and the sickening feeling of the attack may now bolster their future security.”

Timeline of the Kaseya incident

Read more on Hackers and cybercrime prevention