Kaseya has obtained a universal decryption key to restore access to its networks as well as those of all businesses affected by a devastating ransomware attack spearheaded by REvil.
The company is distributing the master decryptor to customers affected by the attack earlier this month, as well as the customers of many managed service providers (MSPs) that used the compromised VSA platform. In total, the supply chain attack affected roughly 50 Kaseya customers directly, and up to 1,500 organisations in total.
Best ransomware removal tools REvil vanishes from the web without a trace The truth about ransomware
Kaseya claims that it obtained the decryption key “from a third party”, although it didn’t reveal the precise arrangements, the identity of this entity, nor whether any money changed hands at any stage.
“We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor,” the company said in an update.
“Kaseya is working with Emsisoft to support our customer engagement efforts, and Emsisoft has confirmed the key is effective at unlocking victims.”
REvil previously demanded a ransom of $70 million for access to the universal decryptor, with the group claiming it’d infected “more than a million systems”. The gang, in addition, demanded a lesser sum of $44,999 from its victims if their endpoint had been hit, according to Sophos.
RELATED RESOURCE
2021 state of email security report: Ransomware on the rise
Securing the enterprise in the COVID world
REvil then vanished from the internet without a trace roughly ten days after the attack, with the security industry speculating this could be due to an internal fallout, action by law enforcement, or some form of exit scam. The group hasn’t yet re-emerged.
Kaseya first announced that its systems had been compromised after the group exploited flaws in its cloud-based IT management and remote monitoring product VSA.
REvil exploited a zero-day vulnerability to remotely access internet-facing servers, targeting the platform because a key functionality of VSA is to push software and automated IT tasks on request, without any checks. This served as an ideal route to target the clients of Kaseya's customers.
Kaseya had already been working on fixes for the targeted vulnerabilities, according to security DIVD CSIRT, although the hackers were able to exploit them before patches were finalised and pushed out.
The company eventually fixed the three flaws exploited as part of the attack a few days after the incident, as part of a wider update fixing seven vulnerabilities in total.
-
AWS targets IT modernization gains with new agentic AI features in TransformNews New custom agents aim to speed up legacy code modernization and mainframe overhauls
-
HSBC partners with Mistral to fuel bank-wide generative AI adoptionNews The multi-year, strategic partnership will focus on transforming a range of services and tasks from customer-facing to fraud detection and more
-
15-year-old revealed as key player in Scattered LAPSUS$ HuntersNews 'Rey' says he's trying to leave Scattered LAPSUS$ Hunters and is prepared to cooperate with law enforcement
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
A notorious ransomware group is spreading fake Microsoft Teams ads to snare victimsNews The Rhysida ransomware group is leveraging Trusted Signing from Microsoft to lend plausibility to its activities
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
