Kaseya has obtained a universal decryption key to restore access to its networks as well as those of all businesses affected by a devastating ransomware attack spearheaded by REvil.
The company is distributing the master decryptor to customers affected by the attack earlier this month, as well as the customers of many managed service providers (MSPs) that used the compromised VSA platform. In total, the supply chain attack affected roughly 50 Kaseya customers directly, and up to 1,500 organisations in total.
Best ransomware removal tools REvil vanishes from the web without a trace The truth about ransomware
Kaseya claims that it obtained the decryption key “from a third party”, although it didn’t reveal the precise arrangements, the identity of this entity, nor whether any money changed hands at any stage.
“We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor,” the company said in an update.
“Kaseya is working with Emsisoft to support our customer engagement efforts, and Emsisoft has confirmed the key is effective at unlocking victims.”
REvil previously demanded a ransom of $70 million for access to the universal decryptor, with the group claiming it’d infected “more than a million systems”. The gang, in addition, demanded a lesser sum of $44,999 from its victims if their endpoint had been hit, according to Sophos.
RELATED RESOURCE
2021 state of email security report: Ransomware on the rise
Securing the enterprise in the COVID world
REvil then vanished from the internet without a trace roughly ten days after the attack, with the security industry speculating this could be due to an internal fallout, action by law enforcement, or some form of exit scam. The group hasn’t yet re-emerged.
Kaseya first announced that its systems had been compromised after the group exploited flaws in its cloud-based IT management and remote monitoring product VSA.
REvil exploited a zero-day vulnerability to remotely access internet-facing servers, targeting the platform because a key functionality of VSA is to push software and automated IT tasks on request, without any checks. This served as an ideal route to target the clients of Kaseya's customers.
Kaseya had already been working on fixes for the targeted vulnerabilities, according to security DIVD CSIRT, although the hackers were able to exploit them before patches were finalised and pushed out.
The company eventually fixed the three flaws exploited as part of the attack a few days after the incident, as part of a wider update fixing seven vulnerabilities in total.
-
Why Microsoft thinks diversity will keep security workers relevant in the age of agentic AINews Improved AI skills and a greater focus on ensuring agents are secure at point of deployment will be key for staying ahead of attackers
-
Microsoft: get used to working with AI-powered "digital colleagues"News Tech giant's report suggests we should get ready to work with AI, revealing future trends for the workplace
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reportedNews Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the lastNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Alleged LockBit developer extradited to the USNews A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
-
February was the worst month on record for ransomware attacks – and one threat group had a field day
News February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impactedNews The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
