Kaseya, the software company whose remote access tool was used to deliver REvil ransomware to hundreds of businesses around the world in a devastating supply-chain attack earlier this month, has obtained a decryptor key that will allow it to unlock networks seized by the malware, the company confirmed to CNN Business.
Kaseya is currently assisting customers whose systems were still locked down by REvil’s software, according to the company.
“I can confirm we have received a decryptor and are currently working to assist the customers impacted by the attack,” said Kaseya spokesperson Dana Liedholm. “We can’t share the source but can say it’s from a trusted third party.”
Liedholm remained tight-lipped when asked if the decryptor key had been reverse-engineered from the REvil malware.
According to Brett Callow, a threat analyst at the cybersecurity firm Emsisoft, the key’s effectiveness in restoring victim data has been verified.
“Kaseya has asked us to help them with their customer engagement efforts. We’ve confirmed that the key works to unlock victims, and we’ll continue to assist Kaseya and its customers “CNN spoke with Callow.
Drew Schmitt, principal threat intelligence analyst at GuidePoint Security, emphasized this point, saying that while he isn’t involved in the Kaseya situation, he is confident that the key should work.
“There are very limited circumstances where I’ve obtained a decryptor during a negotiation and found out it either doesn’t work or found some major problem with it,” Schmitt said. “The percentage of cases or incidents where the decryptor just flat-out doesn’t work is really, really low and is closer to zero than anything.”
The Kaseya ransomware attack has been dubbed one of the largest in history. On July 2, hackers linked to REvil, a cybercriminal gang based in Eastern Europe or Russia, used Kaseya’s remote management tools to distribute malicious software to Kaseya customers, encrypting their data and locking them out.
The attackers’ method of gaining access to Kaseya’s product is still unknown.
Many of Kaseya’s customers are IT support companies that assist small businesses with their information technology needs, such as dentists’ offices, local restaurants, and accounting firms. When the support firms were hit, their own customers were also affected, prompting Kaseya to estimate that the ransomware may have infected as many as 1,500 organizations worldwide.
In exchange for a decryptor key that could unlock all of the affected systems at once, REvil demanded a whopping $70 million ransom. REvil vanished from the internet, with most of its websites going dark, even as some companies were still reeling from the attack.
The mysterious disappearance of the group last week has sparked speculation about its whereabouts. Although the Biden administration has promised to crack down on ransomware, the US government has steadfastly refused to say whether it played a role. In the case of Colonial Pipeline, US law enforcement officials were able to track down and recover some of the money paid to the company’s ransomware attackers, a group known as DarkSide, which has since vanished.