Kaseya Snags a Universal Decryption Tool After Ransomware Attack
Table of Contents
- By Dawna M. Roberts
- Published: Aug 06, 2021
- Last Updated: Mar 18, 2022
Software vendor Kaseya recently suffered a massive ransomware strike, but they just got their hands on a universal decryption tool to help their customers.
What Happened?
On July 2, the REvil hacker gang attacked Kaseya by exploiting a vulnerability in their Virtual System Administrator (VSA) used by hundreds of managed service providers and their clients.
More than 60 MSPs and 1,500 victims were affected by this single event. Unfortunately, most small business clients don’t have backups, and they have been having a difficult time trying to restore their files.
REvil initially demanded $70 million and then reduced that figure to $50 million. Kaseya has not divulged whether or not they paid any ransom. However, they did snag a universal decryption tool (from a third party), and they will begin using it this week to help clients unlock their files and get back on track. Some people wonder if the various clients pooled their financial resources to pay the ransom for the universal key to end the nightmare.
The vulnerability in the software has since been patched, but the aftermath continues. Oddly enough, the REvil gang disappeared shortly after the attack. It is unclear if that has anything to do with the fact that Kaseya obtained a universal description tool to free victims. Although a welcome development, the disappearance of REvil on July 13 does not mean they are gone forever, and we’ve seen the last of this prolific gang.
The attack affected victims in the U.S., Sweden, Australia, and South Africa.
The Fix
On July 23, Kaseya posted a public notice about the incident saying, “We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor. “Kaseya is working with Emsisoft to support our customer engagement efforts, and Emsisoft has confirmed the key is effective at unlocking victims…Customers who have been impacted by the ransomware will be contacted by Kaseya representatives.”
Experts believe that Kaseya negotiated a lower ransom price and paid it to get the key. However, that is only speculation at this point, with no confirmation from Emsisoft or Kaseya. Emsisoft is currently rolling out assistance to victims who are still stuck.
The Aftermath
Cybersecurity assessors expect a harsh aftermath of lawsuits filed against Kaseya for not having proper security measures in place or addressing and fixing the zero-day exploit that caused the issue. Dutch researchers had noticed the problem three months prior and notified Kaseya, but the company failed to do anything about it.
Some also fear that the hackers may have copies of the data breached stored on servers and may still continue to use it to extort further ransom from the many victims. However, with so many clients attacked in one event, the thought is that they had no time to steal data and instead simply locked the files. Hopefully, that is the case.
Although some of the customers were able to restore files through solid backups, many were not and are still struggling, waiting for the fix. Small businesses like dental offices and lawyers are having the most difficulty recovering.
Law enforcement has been very vocal lately about urging victims not to pay a ransom. However, as it stands now, despite rumors that it could change, victims are not being penalized for paying threat actors ransom to unlock their files. Threat experts hope that Kaseya was able to obtain the decryption key without paying any ransom. The message sent when a victim pays only encourages further ransomware attacks.
