Kaseya has obtained a master decryption key for the REvil ransomware that locked up the systems of at least 60 of its customers in a spate of worldwide cyber-attacks on July 2.
The vendor will work with customers affected by the early July batch of ransomware attacks to unlock files; it’s unclear if the ransom was paid.
The attacks, which exploited now-patched zero-days in the Kaseya Virtual System/Server Administrator (VSA) platform, affected Kaseya customers in 22 countries using the on-premises version of the platform – many of which are managed service providers (MSPs) who use VSA to manage the networks of other businesses.
In addition to the 60 direct customers, around 1,500 related customers of those MSPs were also affected.
The VSA software is used by Kaseya customers to remotely monitor & manage software & network infrastructure.
After the attacks, the REvil gang (aka Sodinokibi) demanded $70m for a universal public decryption key that will unlock all impacted victims – a price that 1 researcher said was eventually lowered to $50m.
Late on Thur. pm, the vendor announced via its rolling advisory on the incident that it had obtained the decryptor “through a 3rd party.” It’s unclear if the ransom was indeed paid.
Impacted by the Ransomware
“We can confirm that Kaseya obtained the tool from a 3rd party & have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor,” it said.
“Kaseya is working with Emsisoft to support our customer engagement efforts, & Emsisoft has confirmed the key is effective at unlocking victims…Customers who have been impacted by the ransomware will be contacted by Kaseya representatives.”
Deepening the mystery is the fact that REvil as a criminal organisation went dark July 13, when its sites vanished & representatives were banned on prominent underground forums.
Emsisoft isn’t releasing further details: “We are working with Kaseya to support their customer engagement efforts,” Emsisoft outlined in a statement. “We have confirmed the key is effective at unlocking victims & will continue to provide support to Kaseya & its customers.”
“The sudden appearance of this universal key suggests that it is possible that this ransom may have been paid, although it is likely that the ransom would have been negotiate to a lower price,” Ivan Righi, Cyber-Threat Intelligence Analyst at Digital Shadows, stated.
Nightmare Isn’t Over
Even though the master decryption key has been acquired, the attack should not be considered to be over, researchers warned. REvil is known for its double-extortion attacks, where company data is stolen in addition to being hit with ransomware.
“The group may still have copies of data stolen from victims,” Righi said. “The group could use this data to extort victims or auction off the data, as it has done in the past on its website Happy Blog.”
Erich Kron, Security Awareness Advocate at KnowBe4, noted that remediation will take more than simply applying the unlocking mechanism to files.
“Significant damage has been done already in the way of downtime & recovery costs, both currently & in the future,” he noted via email.
“Even with the data decrypted, there are significant costs associated with restoring devices & data. Simply decrypting the data does not resolve issues that remain, such as potentially installed back doors the attackers could use at a later date. This means there is still a lot of work ahead.”
Tim Wade, Technical Director on the CTO team at Vectra, outlined that there could be other nasty surprises for victims to watch out for following the attacks.
“From a distance, the emergence of a master key may appear more comforting than it should,” he warned. “The value of accelerating the restoration of data & services shouldn’t be trivialised, but it won’t exactly erase the already extensive cost of these attacks.
This is a cost carried both in terms of the historic disruption, but also given the proclivity of these criminal operators to leave lingering backdoors, the ongoing need to rebuild compromised infrastructure into a clean, trustworthy state.
So yes, sidestepping how this key may have been acquired, it may have some positive outcomes but as they say – it isn’t over ’til it’s over.”
While this particular attack was far-reaching & significant, it’s not the 1st cyber-attack to affect MSPs & their downstream customers in 2021 The Clop ransomware gang for example went after the Accellion legacy FTA software for file transfers in Feb.; multiple Accellion FTA customers, including the Jones Day Law Firm, Kroger, Shell & Singtel were all affected.
The incidents point at a lesson for organisations of all sizes, researchers noted, when it comes to the MSP biz.
“Whenever an organisation trusts external entities with the keys to their kingdom, they are undertaking a serious risk,” Kron explained.
“Likewise, when MSPs are given this access, it is imperative that they aggressively protect their customers. For organisations that have been taken down by ransomware due to the lack of backups, or if their backups were encrypted, leaving them vulnerable, this is a great time to have some hard discussions with their service providers in an effort to eliminate the threat in the future.”