Kaseya mysteriously obtains master REvil decryptor from ‘third party’
The company is now working to restore access to affected customers


Kaseya has obtained a universal decryption key to restore access to its networks as well as those of all businesses affected by a devastating ransomware attack spearheaded by REvil.
The company is distributing the master decryptor to customers affected by the attack earlier this month, as well as the customers of many managed service providers (MSPs) that used the compromised VSA platform. In total, the supply chain attack affected roughly 50 Kaseya customers directly, and up to 1,500 organisations in total.
Best ransomware removal tools REvil vanishes from the web without a trace The truth about ransomware
Kaseya claims that it obtained the decryption key “from a third party”, although it didn’t reveal the precise arrangements, the identity of this entity, nor whether any money changed hands at any stage.
“We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor,” the company said in an update.
“Kaseya is working with Emsisoft to support our customer engagement efforts, and Emsisoft has confirmed the key is effective at unlocking victims.”
REvil previously demanded a ransom of $70 million for access to the universal decryptor, with the group claiming it’d infected “more than a million systems”. The gang, in addition, demanded a lesser sum of $44,999 from its victims if their endpoint had been hit, according to Sophos.
RELATED RESOURCE
2021 state of email security report: Ransomware on the rise
Securing the enterprise in the COVID world
REvil then vanished from the internet without a trace roughly ten days after the attack, with the security industry speculating this could be due to an internal fallout, action by law enforcement, or some form of exit scam. The group hasn’t yet re-emerged.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Kaseya first announced that its systems had been compromised after the group exploited flaws in its cloud-based IT management and remote monitoring product VSA.
REvil exploited a zero-day vulnerability to remotely access internet-facing servers, targeting the platform because a key functionality of VSA is to push software and automated IT tasks on request, without any checks. This served as an ideal route to target the clients of Kaseya's customers.
Kaseya had already been working on fixes for the targeted vulnerabilities, according to security DIVD CSIRT, although the hackers were able to exploit them before patches were finalised and pushed out.
The company eventually fixed the three flaws exploited as part of the attack a few days after the incident, as part of a wider update fixing seven vulnerabilities in total.

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.
-
Why Microsoft thinks diversity will keep security workers relevant in the age of agentic AI
News Improved AI skills and a greater focus on ensuring agents are secure at point of deployment will be key for staying ahead of attackers
By Rory Bathgate
-
Microsoft: get used to working with AI-powered "digital colleagues"
News Tech giant's report suggests we should get ready to work with AI, revealing future trends for the workplace
By Nicole Kobie
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
By Nicole Kobie
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the last
News Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
By Ross Kelly
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackers
News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
By Emma Woollacott
-
Hackers are targeting Ivanti VPN users again – here’s what you need to know
News Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
By Emma Woollacott
-
Healthcare systems are rife with exploits — and ransomware gangs have noticed
News Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
By Nicole Kobie
-
Alleged LockBit developer extradited to the US
News A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
By Emma Woollacott
-
February was the worst month on record for ransomware attacks – and one threat group had a field day
News February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
By Emma Woollacott
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
News The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
By Solomon Klappholz