Kaseya is helping nearly 1,500 compromised customers unlock ransomed files after obtaining a universal decryptor key Wednesday, 19 days after the devastating REvil ransomware attack.
“We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor,” the company wrote in an update on its website.
“Kaseya is working with Emsisoft to support our customer engagement efforts, and Emsisoft has confirmed the key is effective at unlocking victims.”
The company declined to answer media questions about the identity of the third party, whether a ransom was paid to obtain the key, and whether the decryptor works in all instances.
REvil made the largest ransom demand of all-time two days after the attack, offering on July 4 to decrypt all Kaseya ransomware attack victims in exchange for US$70 million. REvil’s online presence has since disappeared.
The latest development was first reported on Twitter by NBC News’ Kevin Collier on Thursday. Kaseya said it’ll provide updates on its remediation efforts with the decryptor as more details become available.
Organisations have become increasingly willing to fork over ransoms in recent months, with Colonial Pipeline paying Darkside US$4.3 million in May with the hope of restoring operations on its 5,500-mile pipeline sooner. Meatpacking giant JBS paid REvil US$11 million to shield the company’s meat plants from further disruption and limit the potential impact for restaurants, grocery stores and farmers.
The REvil gang pulled off one of the biggest ransomware heists in years July 2, exploiting a vulnerability in Kaseya’s on-premise VSA remote monitoring and management tool to compromise nearly 60 MSPs and encrypt the data and demand ransom payments from up to 1,500 of their end user customers.
Kaseya said the cybercriminals were able to exploit vulnerabilities in its VSA tool to pass authentication and run arbitrary command execution. This allowed REvil to leverage the VSA product‘s standard functionality and deploy ransomware to customer endpoints.
The cyberattack left more than 36,000 MSPs without access to Kaseya‘s flagship VSA product for nearly 10 days as the company worked on a patch for the on-premises version of VSA and kept the more widely used SaaS version of VSA offline. Third-party engineers and consultants as well as internal IT employees suggested putting additional layers of protection into VSA to defend against unforeseen issues.
“The fact that we had to take down VSA is very disappointing to me personally,” Voccola said in an emotional video posted to Kaseya’s website on July 8. “I feel like I let this community down, I let my company down, [and] our company let you down. And that is not going away.”
Former Kaseya software engineering and developers said they warned Kaseya leaders for years of dangerous security flaws in its products, but those concerns were never fully addressed, Bloomberg said July 10. Some employees who flagged Kaseya’s security issues quit over frustration that newer features and products were prioritized over fixing the problems or were fired over inaction, Bloomberg reported.
Some of the largest security problems within Kaseya included outdated code, weak encryption, and passwords in products, as well as the general failure to meet basic cybersecurity requirements including continuous patching of its software and servers, according to Bloomberg, who declined to identify the former employees due to non-disclosure agreements.
A Dutch Institute for Vulnerability Disclosure (DIVD) researcher discovered seven vulnerabilities in Kaseya’s VSA product in early April and notified the company about the flaws less than a week later. Eighty-seven days later, REvil took advantage of a flaw flagged by DIVD that still hadn’t been resolved.
“We were in a coordinated vulnerability disclosure process with the vendor while this happened,” DIVD’s Victor Gevers wrote on Twitter.
“The CVEs [descriptions of the vulnerabilities] were ready to be published; the patches were made and prepared for distribution; and we mapped all online instances to help speed up the process.”