Software vendor caught up in ransomware attack obtains decryptor key
By Brian Fung and Geneva Sands, CNN Business
Kaseya, the software firm whose remote access tool was used to deliver REvil ransomware to hundreds of businesses around the world this month in a devastating supply-chain attack, has obtained a decryptor key allowing it to unlock networks seized by the malware, the company confirmed to CNN Business.
Kaseya is currently helping to restore the systems of customers whose networks were still locked down by REvil’s software, it said.
“I can confirm we have received a decryptor and are currently working to assist the customers impacted by the attack,” said Kaseya spokesperson Dana Liedholm. “We can’t share the source but can say it’s from a trusted third party.”
Liedholm declined to answer further questions about whether the decryptor key had been reverse-engineered from the REvil malware.
Brett Callow, a threat analyst at the cybersecurity firm Emsisoft, said his firm had verified the effectiveness of the key at restoring victim data.
“We are working with Kaseya to support their customer engagement efforts. We have confirmed the key is effective at unlocking victims and will continue to provide support to Kaseya and its customers,” Callow told CNN.
Underscoring that point, Drew Schmitt, principal threat intelligence analyst at GuidePoint Security, said that although he is not involved with the situation at Kaseya, he’s confident the key should work.
“There are very limited circumstances where I’ve obtained a decryptor during a negotiation and found out it either doesn’t work or found some major problem with it,” Schmitt said. “The percentage of cases or incidents where the decryptor just flat-out doesn’t work is really, really low and is closer to zero than anything.”
The Kaseya attack has been called one of the largest ransomware attacks in history. On July 2, hackers affiliated with REvil — a cybercriminal gang that is believed to operate out of Eastern Europe or Russia — used Kaseya’s remote management tools to deliver malicious software to Kaseya’s customers that encrypted their data and locked them out.
It is still unclear how the attackers managed to gain access to Kaseya’s product.
Many of Kaseya’s customers are IT support firms that help small businesses such as dentists’ offices, local restaurants and accounting firms with their information technology needs. When the support firms were hit, their own customers were also affected, prompting Kaseya to estimate later that as many as 1,500 organizations worldwide may have been compromised by the ransomware.
REvil issued an eye-popping $70 million ransom demand in exchange for a decryptor key that could unlock all of the affected systems at once. But even as some companies were still reeling from the attack, REvil vanished from the internet — with most of its websites going dark.
The group’s mysterious disappearance last week has sparked speculation as to its fate. The US government has steadfastly declined to say whether it played a role, though the Biden administration has vowed to crack down on ransomware. And, in the case of Colonial Pipeline, US law enforcement officials have been able to track and recover some of the money the company paid to its ransomware attackers — a group known as DarkSide that has also since disappeared.
The-CNN-Wire
™ & © 2021 Cable News Network, Inc., a WarnerMedia Company. All rights reserved.