Kaseya mysteriously obtains master REvil decryptor from ‘third party’

Kaseya has obtained a universal decryption key to restore access to its networks as well as those of all businesses affected by a devastating ransomware attack spearheaded by REvil.

The company is distributing the master decryptor to customers affected by the attack earlier this month, as well as the customers of many managed service providers (MSPs) that used the compromised VSA platform. In total, the supply chain attack affected roughly 50 Kaseya customers directly, and up to 1,500 organisations in total.

Kaseya claims that it obtained the decryption key “from a third party”, although it didn’t reveal the precise arrangements, the identity of this entity, nor whether any money changed hands at any stage.

“We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor,” the company said in an update.

“Kaseya is working with Emsisoft to support our customer engagement efforts, and Emsisoft has confirmed the key is effective at unlocking victims.”

REvil previously demanded a ransom of $70 million for access to the universal decryptor, with the group claiming it’d infected “more than a million systems”. The gang, in addition, demanded a lesser sum of $44,999 from its victims if their endpoint had been hit, according to Sophos.

REvil then vanished from the internet without a trace roughly ten days after the attack, with the security industry speculating this could be due to an internal fallout, action by law enforcement, or some form of exit scam. The group hasn’t yet re-emerged.

Kaseya first announced that its systems had been compromised after the group exploited flaws in its cloud-based IT management and remote monitoring product VSA.

REvil exploited a zero-day vulnerability to remotely access internet-facing servers, targeting the platform because a key functionality of VSA is to push software and automated IT tasks on request, without any checks. This served as an ideal route to target the clients of Kaseya's customers.

Kaseya had already been working on fixes for the targeted vulnerabilities, according to security DIVD CSIRT, although the hackers were able to exploit them before patches were finalised and pushed out.

The company eventually fixed the three flaws exploited as part of the attack a few days after the incident, as part of a wider update fixing seven vulnerabilities in total.