Kaseya Obtains Decryption Tool After REvil Ransomware Hit

Business Continuity Management / Disaster Recovery
Fraud Management & Cybercrime
Governance & Risk Management

Software Vendor Said Approximately 60 MSPs and 1,500 Clients Affected by Attack

Kaseya Obtains Decryption Tool After REvil Ransomware Hit
Kaseya Executive Vice President Mike Sanders (Source: Kaseya)

Three weeks after its software was used to facilitate a massive ransomware attack, remote management software vendor Kaseya says it has obtained a universal decryption key to help victims.

See Also: 2021 Unit 42 Ransomware Threat Report

Kaseya says the universal decryption tool will help the estimated 1,500 organizations affected by the attack, many of which are small businesses and have been struggling to restore their files from backups, or may have no backups at all. As yet, however, it’s not clear if the decryptor is 100% effective at restoring files. Security experts say that some types of ransomware fail to encrypt files properly before deleting them, meaning they can never be recovered – unless victims have a backup copy.

Even so, to what does Kaseya owe this apparent saving grace? The software vendor would only say that it has obtained the decryptor from a third party, which it declined to identify. The company would not say if it paid a ransom to its attackers in exchange for the decryption tool, or if its insurer might have done so, or if the decryptor was provided for free.

Despite being able to help victims restore files, Kaseya, like other companies that have experienced breaches with knock-on effects, appears likely to face lawsuits alleging that it failed to have proper cybersecurity practices and defenses in place. By having obtained a universal decryption tool, together with having already announced a program designed to help victims, the company is making a public effort to show that it’s trying to help via every means possible.

Law enforcement officials and security experts continue to urge victims to never pay extortionists, and there were early signs Kaseya was trying to avoid paying the attackers. Mike Sanders, a Kaseya executive vice president, told cybersecurity journalist Brian Krebs on July 8 that the company had been counselled to not negotiate one ransom for a key to help all victims.

Many continue to hope that Kaseya did not go down that path. Because if so, the clear message to the cybercriminal world would be that ransomware continues to pay, provided you know how to get away with it, says Alex Holden, CISO of Hold Security, a Wisconsin-based consultancy that analyzes the cybercriminal underworld.

“I sincerely hope that Kaseya was able to get the decryption key without paying a ransom,” Holden says.

Recovery: Easy for Some, Harder for Others

The ransomware attack unleashed on July 2 targeted remotely exploitable software vulnerabilities in Kaseya’s software being used by dozens of managed service providers, and many of their clients.

Kaseya first learned of the flaws after being notified by Dutch researchers three months prior, but had yet to deploy patches before disaster struck (see Kaseya Raced to Patch Before Ransomware Disaster).

Attackers affiliated with the REvil – aka Sodinokibi – ransomware operation used the vulnerabilities to exploit Kaseya’s Virtual System Administrator, which is management and monitoring software used MSPs, up to 60 of which were infected. The MSPs run VSA servers, which communicate with VSA endpoint software running on clients’ systems. By attacking the MSPs, the REvil affiliates were able to use the software to install malware on endpoints at up to 1,500 of the MSPs’ client organizations.

Attackers hit only MSPs running the on-premises version of VSA. While Kaseya’s software-as-a-service version of VSA appears to have had the same vulnerabilities, the company quickly deactivated its cloud-based software when the attack came to light, and those customers were not affected.

Early on, the REvil group offered a so-called “universal decryptor” that it claimed would decrypt every victim’s crypto-locked systems for $70 million. Later, REvil appeared to lower the initial asking price to $50 million. Some cybercrime watchers speculated that victims and their insurers might collectively attempt to pool funds to obtain the key.

After the highly publicized attack, the REvil operation’s infrastructure, including its darknet sites, went offline July 13. But it’s unclear why. The Biden administration has welcomed REvil’s current shutdown but says it doesn’t know the cause. The White House also continues to press Russia to take action against ransomware-wielding criminals who may reside within its borders.

While the Kaseya attack was massive in scale, experts say some victims have already been able to recover. Unlike many ransomware attacks, REvil appeared to be moving quickly to hit as many MSPs and their clients as possible. Accordingly, they appear to have stolen no data before crypto-locking systems. In addition, they didn’t delete Volume Shadow Copies, which is a backup feature built into Windows. Security experts say that while having access to VSCs will be welcome, it does not mean that recovery via that route will be was easy, but at least it would be possible.

Some Kesaya-using MSPs have been making all-out efforts to assist victims, including Dutch MSP VelzArt.

But numerous organizations have nevertheless remained stuck, says Allan Liska, an intelligence analyst with Recorded Future’s computer security incident response team.

Liska says he has spoken with incident response companies dealing with the Kaseya incident. Those firms have told him that many smaller victims, such as dental clinics and law offices, are still struggling to rebuild their businesses from scratch. These organizations – in countries such as the U.S., Sweden, Australia and South Africa – are small enough that the disruptions don’t make the news, Liska says.

One problem: These businesses may have contracted with MSPs for software deployment and patches – but not necessarily backups, Liska says. Also, some organizations that thought they had backups subsequently discovered they did not.

“It’s all over the place,” Liska says.

Working With Emsisoft

Kaseya says security firm Emsisoft has confirmed that the decryptor is effective. An Emsisoft spokesman says the company can’t release information about how the key was obtained.

Emsisoft is a security firm that has extensive knowledge of ransomware and, most importantly, how to recover from it. Emsisoft also offers tools that can evaluate damage from ransomware – for example, if crypto-locked files are recoverable, so that victims can make a better-informed decision about whether paying for a decryption tool might be worth it, and if so, gain a better idea of how much to pay.

The security firm, however, says it does not offer negotiation services or facilitate payments to ransomware operations. Likewise, FireEye’s Mandiant incident response team, which Kaseya brought in after the attack to assist, does not negotiate or help with payments.

“We are working with Kaseya to support their customer engagement efforts. We have confirmed the key is effective at unlocking victims and will continue to provide support to Kaseya and its customers,” Fabian Wosar, CTO of Emsisoft, told BleepingComputer.

For victims that do obtain a decryption tool, such software can be slow and buggy, or perhaps not work at all. After Colonial Pipeline Co. was hit by DarkSide ransomware in May, for example, it paid attackers $4.4 million for a decryption tool, only to find that restoring from backups was faster (see Colonial Pipeline CEO Confirms $4.4 Million Ransom Payment).

Emsisoft sells a flat-price software tool that can make using a decryptor supplied by a ransomware operation – or obtained via other means – work faster and more reliably.

Executive Editors Jeremy Kirk and Mathew Schwartz contributed to this report.

Similar Posts