Kaseya deploying ransomware decryptor key on victims of REvil attack

Kaseya, the information technology company whose software was exploited to deliver the REvil ransomware strain to its customers this month, announced it has obtained a universal decryptor key that restores infected systems.

Nearly three weeks after the crippling supply-chain attack, Kaseya said Thursday that it recently acquired the decryptor key and was successfully using it to restore customer systems that remain affected.

“We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor,” Kaseya stated on its website, adding it was working with Emsisoft, a New Zealand-based anti-virus firm that specializes in helping victims rebound from ransomware attacks.

Kaseya did not offer details about the origins of the decryptor. A spokesperson for the Florida software company told reporters the key came from a “trusted third party” but did not specify further.

“We are working with Kaseya to support their customer engagement efforts,” Emsisoft said in a statement, adding it “confirmed the key is effective at unlocking victims” of the wide-scale ransomware attack.

REvil existed until recently as a ransomware-as-a-service operation. REvil’s developers licensed the custom malware to affiliates in exchange for a cut of any ransom payments received from their victims.

In addition to holding data hostage, REvil attackers occasionally also exfiltrated and then published online sensitive material stolen from victims who the attackers said failed to pay whatever sum was requested.

Kaseya announced July 3 that it was the victim of a “sophisticated cyberattack” in which its remote access software had been hacked and then used to attack its customers with the REvil ransomware strain.

Up to 1,000 businesses were affected by the attack, Kaseya has said, among them Coop, a Swedish supermarket chain that said it was forced to close hundreds of its stores for several days.

Victims of the attack were told by the perpetrators to pay a ransom to regain access to affected systems, and websites associated with REvil later offered to sell a master decryptor key for $70 million.

REvil vanished July 13, however, when all known websites and online infrastructure associated with the gang went offline, denying their victims a way of reaching the perpetrators should they wish to pay.

It was not clear if Kaseya had bought the master key from the ransomware gang or obtained it by other means.

“We can’t share the source but can say it’s from a trusted third party,” Kaseya spokesperson Dana Liedholm told reporters.

The White House says REvil was likely based in Russia. President Biden said he warned Russian President Vladimir Putin to rein in ransomware attacks coming from his country days before REvil vanished.

The FBI advises ransomware victims against paying.

Sign up for Daily Newsletters

Share this post