After the breach of remote management software company Kaseya and the thousands of clients downstream from it by REvil ransomware, the perpetrators disappeared abruptly leaving many victims in the lurch. Good news has arrived as Kaseya appears to have received a decryption key nearly three weeks into the attack.
Kaseya won’t say exactly how it came by the decryption key, save that it came from a “third party.” But it is actively working to get in touch with customers impacted by the ransomware, and thus far has not heard of any issues with its use to unlock systems.
Kaseya decryption key solves rough situation for thousands of businesses
The Kaseya ransomware attack struck at a particularly inopportune time, just ahead of a long July 4 weekend in the United States when IT staff would be heading off duty for at least three days. Compromising the company’s VSA service, used in turn by many managed service providers who in turn have a high degree of access to their individual business clients, the REvil ransomware quickly spread to tens of thousands of businesses.
The situation became even worse on July 13 as REvil suddenly pulled up stakes and disappeared entirely from the web. Hardly a strange move for a ransomware gang that pulls off such a major and damaging heist, but they generally finish conducting their business and collecting their money before vanishing. The REvil ransomware group shut down all of its dark web points of contact (including its “Happy Blog”) and stopped communicating with victims right in the middle of negotiations to make payments and unlock systems, leaving many companies in the lurch.
It is still unclear why the REvil ransomware group disappeared, but Kaseya now finds itself with the universal decryption key in its hands. How it got there has been left to speculation. Kaseya may have paid a sum to REvil for it, or the gang may have been breached by either the US or Russian governments. There is also the possibility that the hackers reformed their criminal ways and are trying to make amends, though that seems to be by far the most remote scenario of the bunch. The company had been seeking $70 million from Kaseya to undo all the damage, and the firm would not confirm or deny that it had paid a ransom to obtain the decryption key.
Independent cybersecurity firm Emsisoft has verified that the decryption key works and will restore systems hit by the REvil ransomware. This likely comes too late for some of the victims, who were given a time limit to pay up or see their data destroyed, but those that were negotiating with REvil when the group disappeared will be quite happy to hear the news. Kaseya is directly reaching out to its impacted customers and has teams ready to work with them on remediation.
Did government forces get to the REvil ransomware gang?
Given that companies generally want to keep ransom payments out of the news as much as possible, and that Kaseya would not deny that it made a payment, the most likely explanation is that it made some sort of arrangement to get hold of the REvil ransomware decryption key.
While government involvement in obtaining the decryption key is less likely, it may have played a role in negotiations (and in the total disappearance of the REvil ransomware presence from the criminal underground). While neither government promised any sort of action in response to the Kaseya attack, REvil is thought to be based in Russia and the Biden administration has said that it expects the Russian government to begin acting against these sorts of groups. The administration has also put “hacking back” on the table when it feels a foreign government is being uncooperative, even when it might involve attacking a server in Russia or another foreign country. REvil may have been more inclined to make a steep reduction of its initial asking price given that the heat has been turned up on it.
But unless arrests are announced by one government or another, this is most likely not the end of the perpetrators behind the REvil ransomware. The group has already broken up and reformed once, starting out as “GandCrab” and racking up a claimed $2 billion in high-profile attacks from 2018 to 2019. GandCrab ended with a formal shutdown in which the members claimed they were “enjoying a well-earned retirement,” but they would resurface in about a year as REvil. Ransomware gangs often take breaks of some months and reform under a new name or split into new smaller groups after they draw a considerable amount of public attention.
For this reason, organizations that have been hit by REvil ransomware should expect that any exfiltrated data is still out there and may be put to use in the future (in phishing and business email compromise attempts, just to name a couple of common possibilities). Erich Kron, security awareness advocate at KnowBe4, notes: “Even with the release of the universal decryptor, organizations that had data exfiltrated as part of the ransomware infection, a common occurrence with REvil and modern ransomware, still have to deal with the impact of a data breach and all that entails. For regulated industries, this could be very costly. This should be used as a lesson for organizations of all sizes, hopefully resulting in better protections within organizations and MSPs alike. Whenever an organization trusts external entities with the keys to their kingdom, they are undertaking a serious risk. Likewise, when MSPs are given this access, it is imperative that they aggressively protect their customers. For organizations that have been taken down by ransomware due to the lack of backups, or if their backups were encrypted, leaving them vulnerable, this is a great time to have some hard discussions with their service providers in an effort to eliminate the threat in the future.”