Kaseya, the remote management software vendor at the center of a ransomware operation that affected up to 1,500 downstream networks, said he obtained a decryptor that should successfully restore encrypted data during the July 4 weekend attack.
Affiliates with REvil, one of the most ruthless ransomware groups on the internet, exploited a critical zero-day vulnerability in Miami, Florida-based Kaseya’s remote management product VSA. The vulnerability, which Kaseya was days away from patching, allowed ransomware operators to compromise the networks of about 60 customers. From there, the extortionists infected up to 1,500 networks that depended on the 60 clients for services.
Finally, a universal decryptor
“We obtained the decryptor yesterday from a trusted third party and have been using it successfully on affected customers,” Dana Liedholm, senior vice president of corporate marketing, wrote in an email Thursday morning. “We are providing technical support to use the decryptor. We have a team that communicates with our clients and I have no further details at this time. “
In a private message, threat analyst Brett Callow from security firm Emsisoft said: “We are working with Kaseya to support their customer engagement efforts. We have confirmed that the key is effective in unlocking victims and we will continue to support Kaseya and her clients. “
REvil had demanded up to $ 70 million for a universal decryptor that would restore the data of all organizations compromised in the massive attack. Liedholm declined to say whether Kaseya paid any money in exchange for the decryption tool. Since then, Kaseya has patched the zero-day used in the attack.
At the moment, it is not publicly known whether Kaseya paid the ransom or received it for free from REvil, a law enforcement agency or a private security company.
In the days after the attack, REvil’s dark web site, along with other infrastructure the group uses to provide technical support and process payments, suddenly went offline. The inexplicable exit left victims and investigators concerned that the data would remain locked forever, as the only people with the ability to decrypt it had disappeared.
Where he came from?
REvil is one of several ransomware groups believed to be operating from Russia or another Eastern European country that was previously part of the Soviet Union. The group’s disappearance came a few days after President Joe Biden warned his Russian counterpart, Vladimir Putin, that if Russia did not control those ransomware groups, the United States could take unilateral action against them.
Observers have since speculated that Putin pressured the group to shut up or the group, shaken by all the attention it received from the attack, decided to go it alone.
Some of the companies targeted in the attack include the Swedish grocery chain. COOPERATIVE, Virginia Tech, two Maryland cities, New Zealand Schools and the international textile company Miroglio Group.
REvil is also behind a crippling attack on JBS, the world’s largest meat producer. The violation caused JBS to temporarily shut down some plants.