Kaseya Obtains Decryptor Key – GovInfoSecurity
Business Continuity Management / Disaster Recovery
,
Fraud Management & Cybercrime
,
Governance & Risk Management
Software Firm Helping Customers Affected by Ransomware to Recover
The software firm Kaseya said on Thursday it has obtained a universal key that will unlock files encrypted in a devastating ransomware attack earlier this month.
See Also: 2021 Unit 42 Ransomware Threat Report
The universal key will help organizations, many of which are small businesses, that are struggling to restore their files from backups or may have no backups at all. Kaseya says it obtained the decryptor from an unidentified third party. It did not say whether it or its insurer paid a ransom for the key.
Kaseya, like other companies that have experienced breaches with knock-on effects, could be facing risks of lawsuits over its security. Paying a ransom for a universal decryption key would mark a goodwill gesture, and Kaseya had already announced a program that it would help victims.
There were early signs Kaseya would resist paying for a universal key. Michael Sanders, a Kaseya executive vice president, told computer security journalist Brian Krebs on July 8 that the company has been counselled not to negotiate one ransom for a key to help all victims.
But if Kaseya did pay a ransom, the message to the cybercriminal world is that ransomware pays – you just need to know how to get away with it, says Alex Holden, CISO of Hold Security, a Wisconsin-based consultancy that analyzes the cybercriminal underworld.
“I sincerely hope that Kaseya was able to get the decryption key without paying ransom,” Holden says.
Recovery: Easy for Some, Harder for Others
The July 2 attack on Kaseya capitalized on remotely exploitable software vulnerabilities. Kaseya had actually known of the vulnerabilities after being notified by Dutch researchers three months prior but had yet to deployed patches before disaster struck (see Kaseya Raced to Patch Before Ransomware Disaster).
Actors affiliated with the REvil ransomware gang used the vulnerabilities to exploit Kaseya’s Virtual System Administrator (VSA), which is management and monitoring software used by managed service providers, or MSPs. Up to 60 of Kaseya’s MSP customers were infected.
Those most affected were MSPs using on-premises versions of VSA, as Kaseya pulled the plug on its software-as-a-service VSA, shielding those customers from problems.
The cybercriminals then used those MSP’s VSA software installations to distribute ransomware to infect those company’s clients, eventually infecting as many as 1,500 organizations.
Early on, the REvil group offered a universal decryptor that would help all victims for $70 million. It dropped the price at one point to $50 million. It was speculated that victims and their insurers might pool funds to gain the key.
After the highly publicized attack, the REvil gang’s infrastructure, including its darknet sites, went offline July 13. But it’s unclear why. The Biden administration has welcomed REvil’s online shutdown but says it doesn’t know the cause. The administration has continued to press Russia to take action against ransomware actors who may reside within its borders.
While the Kaseya attack was huge in scale, some of those affected have been able to recover. Unlike other ransomware incidents, the attackers didn’t delete Volume Shadow Copies, a Windows backup feature. That didn’t necessarily mean that recovery was easy, but that it was still possible.
VelzArt, a MSP in the Netherlands that was a Kaseya customers, documented its all-out effort to help its clients. But some organizations are still stuck, says Allan Liska, an intelligence analyst with Recorded Future’s computer security incident response team.
Liska says he has spoken with incident response companies dealing with the Kaseya incident. Those incident response companies say many small organizations, such as dental clinics and law offices, are struggling to rebuild their businesses from scratch in countries such as the U.S., Sweden, Australia and South Africa. The organizations are small enough that the disruptions don’t make the news, Liska says.
Those types of businesses may have contracted with MSPs for software deployment and patches but not necessarily backups, Liska says. Also, some organizations that thought they had backups discovered they did not, he says.
“It’s all over the place,” Liska says.
Working With Emsisoft
Kaseya says Emsisoft has confirmed that the decryptor is effective. An Emsisoft spokesman says the company can’t release information about how the key was obtained.
Emsisoft is a security company with key knowledge of ransomware and, most importantly, how to recover from it. Emsisoft has develop tools that can evaluate damage from ransomware, such as if files are irrecoverable.
Companies can then make a better informed decision on whether paying a ransom for a key is worth it, and if so, a better idea of how much to pay. Emsisoft, however, says it does not offer negotiation services or facilitate payments to ransomware gangs.
Emsisoft has also developed tooling that makes using a decryptor supplied by a ransomware gang go faster and more smoothly. Using a decryptor can be slow and buggy. In the Colonial Pipeline Co. ransomware incident, the company paid $4.4 million for the key only to find restoring from backups was faster (see Colonial Pipeline CEO Confirms $4.4 Million Ransom Payment).
Executive Editor Jeremy Kirk contributed to this report.
