Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management
Kaseya Says It Paid No Ransom to Obtain Universal DecryptorVendor of Remote Management Software - Used to Hit Victims - Helps Them Recover
Remote management software company Kaseya said Monday that it obtained the ability to decrypt all systems for victims of a massive REvil - aka Sodinokibi - ransomware attack without paying criminals any ransom.
But Kaseya has still not revealed how it obtained the decryption keys or capability, other than to say it was supplied by a third party.
"We are confirming in no uncertain terms that Kaseya did not pay a ransom - either directly or indirectly through a third party - to obtain the decryptor," the company says.
"Recent reports have suggested that our continued silence on whether Kaseya paid the ransom may encourage additional ransomware attacks, but nothing could be further from our goal. Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack, and we have not wavered from that commitment."
In June, REvil targeted meat processing giant JBS, which paid attackers an $11 million ransom.
On Thursday, Kaseya reported it had obtained a universal decryption key that could be used by the organizations affected by the attack targeting its software, many of which are small businesses that have been struggling to restore their files from backups or may have no backups at all.
Kaseya, working with the security firm Emsisoft, is now using the decryptor to restore victims' systems.
"We continue to provide the decryptor to customers that request it, and we encourage all our customers whose data may have been encrypted during the attack to reach out to your contacts at Kaseya," the company says. "The decryption tool has proven 100% effective at decrypting files that were fully encrypted in the attack."
The REvil Attack
As part of the ransomware attack unleashed on July 2, attackers targeted vulnerabilities in Kaseya's Virtual System Administrator, or VSA, software, via which they infected about 60 of its managed service provider customers and up to 1,500 of their clients.
REvil initially demanded a $70 million ransom for a "universal decryptor" to unlock all victims' crypto-locked systems, but quickly lowered its price to $50 million.
On July 13, REvil's infrastructure inexplicably went dark, and it has not come back online.
Some cybersecurity experts have noted that REvil was known to have stability problems, so its disappearance could have been due to a technical issue. Others, however, have noted that law enforcement action might have been responsible.
"We have certainly noticed that they've stood down their operations. We don't know exactly why," a White House official told reporters on July 18.
"Different groups have historically had stability woes, which isn't surprising given the way they operate," tweeted Kevin Beaumont, head of the security operations center for Arcadia Group. "While it's possible it's law enforcement, it's also very possible they've had an internal falling out again (another admin pulled plug), hardware failures, etc."
The security firm Check Point notes: "One possibility is a silent takedown, similar to what happened in the DarkSide situation, where hackers were silently taken offline. Though it might be too early to celebrate, another viable possibility is that the ransomware gang has decided to lay low, given all the attention."