Almost three weeks ago, a ransomware attack on a little-known software company called Kaseya escalated into an epidemic when hackers took over the computers of about 1,500 businesses, including a large Swedish grocery chain. Last week, the notorious group behind the hack disappeared from the Internet, leaving victims unable to pay and free their systems. But now the situation seemed close to final resolution thanks to the unexpected appearance on Thursday of a universal decryption tool.
The July 2nd hack was as bad as it gets. Kaseya provides IT management software that is popular with so-called managed service providers, that is, companies offering IT infrastructure to companies that would rather not do it themselves. By using a bug in MSP-targeted software called the Virtual System Administrator, the REvil ransomware group was able to infect not only those targets, but their clients as well, causing a wave of havoc.
In the weeks gone by, victims had virtually two choices: pay the ransom to restore their systems, or restore what was lost with backups. For many private companies, REvil has set buyouts of approximately $ 45,000. He tried to get rid of the $ 5 million MSP. Also, the price of the universal decoder was initially set at $ 70 million. The group later dropped to $ 50 million before disappearing, likely in an attempt to hide in a moment of high stress. When they disappeared, they took their payment portal with them. The victims were left stranded, unable to pay even if they wanted to.
Kaseya spokeswoman Dana Liedholm confirmed to WIRED that the company received the universal decoder from a “trusted third party,” but did not specify who provided it. “We have a team actively working with our customers who have been affected and we will share more on how we will make this tool available as soon as this information becomes available,” Liedholm said in a statement via email, adding, that work with victims has already begun with the help of antivirus from Emsisoft.
“We are working with Kaseya to support their customer acquisition efforts,” Emsisoft threat analyst Brett Callow said in a statement. “We have confirmed that the key is effective in unblocking victims and will continue to provide support for Kaseya and its customers.”
Security firm Mandiant is working with Kaseya to rectify the situation more broadly, but a Mandiant spokesperson referred WIRED back to Liedholm when asked to provide further clarity on who provided the decryption key and how many victims are still required.
The ability to free every device that remains encrypted is undoubtedly good news. But the number of victims left to help at this point may be a relatively small fraction of the initial wave. “The decryption key is probably useful to some customers, but it’s probably too late,” says Jake Williams, CTO at security firm BreachQuest, which has several clients affected by the REvil campaign. This is because anyone who could restore their data through backups, payment, or otherwise would probably have done so already. “This is most likely to help best in cases where there is some unique data in the encrypted system that simply cannot be recovered in any way,” says Williams. “In such cases, we advised these organizations to pay immediately for decryption keys if the data was critical.”
Many of REvil’s victims were small and medium-sized businesses; As MSP customers, they are, by definition, the types that prefer to outsource their IT needs, which in turn means they are less likely to have reliable backups. However, there are other ways to recover data, even if it involves asking customers and suppliers to ship everything they have and start from scratch. “Hardly anyone hoped for a key,” Williams says.