Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management

Kaseya Says It Paid No Ransom to Obtain Universal Decryptor

Vendor of Remote Management Software - Used to Hit Victims - Helps Them Recover
Kaseya Says It Paid No Ransom to Obtain Universal Decryptor
Kaseya issued a statement Monday declaring it did not pay REvil a ransom to obtain a universal decryptor.

Remote management software company Kaseya said Monday that it obtained the ability to decrypt all systems for victims of a massive REvil - aka Sodinokibi - ransomware attack without paying criminals any ransom.

See Also: The Cost of Underpreparedness to Your Business

But Kaseya has still not revealed how it obtained the decryption keys or capability, other than to say it was supplied by a third party.

"We are confirming in no uncertain terms that Kaseya did not pay a ransom - either directly or indirectly through a third party - to obtain the decryptor," the company says.

"Recent reports have suggested that our continued silence on whether Kaseya paid the ransom may encourage additional ransomware attacks, but nothing could be further from our goal. Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack, and we have not wavered from that commitment."

In June, REvil targeted meat processing giant JBS, which paid attackers an $11 million ransom.

Restoring Systems

On Thursday, Kaseya reported it had obtained a universal decryption key that could be used by the organizations affected by the attack targeting its software, many of which are small businesses that have been struggling to restore their files from backups or may have no backups at all.

Kaseya, working with the security firm Emsisoft, is now using the decryptor to restore victims' systems.

"We continue to provide the decryptor to customers that request it, and we encourage all our customers whose data may have been encrypted during the attack to reach out to your contacts at Kaseya," the company says. "The decryption tool has proven 100% effective at decrypting files that were fully encrypted in the attack."

The REvil Attack

As part of the ransomware attack unleashed on July 2, attackers targeted vulnerabilities in Kaseya's Virtual System Administrator, or VSA, software, via which they infected about 60 of its managed service provider customers and up to 1,500 of their clients.

REvil initially demanded a $70 million ransom for a "universal decryptor" to unlock all victims' crypto-locked systems, but quickly lowered its price to $50 million.

On July 13, REvil's infrastructure inexplicably went dark, and it has not come back online.

Some cybersecurity experts have noted that REvil was known to have stability problems, so its disappearance could have been due to a technical issue. Others, however, have noted that law enforcement action might have been responsible.

"We have certainly noticed that they've stood down their operations. We don't know exactly why," a White House official told reporters on July 18.

"Different groups have historically had stability woes, which isn't surprising given the way they operate," tweeted Kevin Beaumont, head of the security operations center for Arcadia Group. "While it's possible it's law enforcement, it's also very possible they've had an internal falling out again (another admin pulled plug), hardware failures, etc."

The security firm Check Point notes: "One possibility is a silent takedown, similar to what happened in the DarkSide situation, where hackers were silently taken offline. Though it might be too early to celebrate, another viable possibility is that the ransomware gang has decided to lay low, given all the attention."

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.