Kaseya obtains decryptor tool to address REvil ransomware fallout

The key could have come from US or Russian authorities - or a paid ransom

IT firm Kaseya says it has obtained a 'universal decryptor key' for the ransomware attack that hit it earlier this month.

In an update on its website, Kaseya said that it obtained the tool from a third party. It's now delivering the tool to affected customers to help restore their environments.

There haven't been any reports of issues associated with the decryptor so far, the company says.

'Kaseya is working with Emsisoft to support our customer engagement efforts, and Emsisoft has confirmed the key is effective at unlocking victims,' it added.

Kaseya likely obtained the decryptor key through any one of three sources: the US government, the Russian government, or a ransom payment to the attackers.

Kaseya suffered a ransomware attack on 2nd July, suspected to be the work of the Russia-based REvil. While only a small number of customers were affected, Kaseya's main business is remote control of programmes for managed-service providers; in turn, these companies provide IT services to hundreds or thousands of small- and medium-sized businesses.

To get in, the attackers exploited a zero-day vulnerability (CVE-2021-30116) in Kaseya's remote monitoring and management tool, VSA . They then leveraged that to encrypt the hundreds of businesses' IT systems.

A researcher for the Dutch Institute for Vulnerability Disclosure (DIVD) had already reported the flaw to Kaseya, but the hackers struck while the company was in the process of writing a patch.

The Kaseya attack came less than a month after a summit between President Biden and Russian President Vladimir Putin in Geneva, where both leaders discussed the issue of cybersecurity in detail.

Biden asked Putin for Russia to stop giving safe haven to ransomware groups launching attacks on American enterprises.

Earlier this month, White House press secretary Jen Psaki said that President Biden was considering all options for how to respond to the attack.

The REvil group had originally demanded $70 million to provide a universal decryptor key. However, a few days ago the gang mysteriously disappeared from the internet, abandoning forums, disconnecting its servers, and shutting down a page on the dark web that it used to communicate with victims.

It is believed that the Russian government forced the group to ceases its operations, to show the world that Russian authorities were working with the US government.

It is possible that the Russia obtained the decryptor key directly from the operators and shared it with US agencies as a gesture of goodwill.

Cybersecurity firm Trustwave SpiderLabs said this month that the ransomware used in the Kaseya attack used code designed to avoid computer systems with default languages from the former USSR region.

In May, cyber security expert Brian Krebs claimed that the DarkSide gang, which attacked Colonial Pipeline, used a 'do-not-install' list of countries in its code to spare organisations in Russia, as well as former Soviet satellite states that have cordial relations with the Kremlin.

Kaseya is the latest in a recent spate of high-profile ransomware victims, including JBS - which acknowledged last month that it paid REvil $11 million for decryption keys - and Colonial Pipeline. The latter attack crippled fuel delivery in the southeastern USA for several days.