Security

‘Kaseya’ Got a Master Decryption Key From REvil and Restoration Is Underway

By Bill Toulas / July 23, 2021
ransomware unlock

‘Kaseya’ is apparently on the verge of getting unstuck from the muddy situation it entered at the start of the month, after a REvil attack on its systems resulted in the compromise of 1,500 businesses and organizations using its VSA product. According to the most recent reports, Kaseya has somehow received a universal master key to unlock the encrypted filesystems, so the restoration process is already underway. By now, though, many of the victims have already restored from backups or rebuilt their networks from scratch.

The software firm hasn’t given an official explanation about how exactly they obtained the key, but the possible scenarios are very specific. The actors may have decided to hand them over due to failed negotiations, the company may have paid a ransom, a respectable number of clients may have paid a ransom, or the law enforcement authorities in Russia have worked underground to press REvil to end this operation. This ransomware group went offline inexplicably 10 days ago, so something significant has happened to the RaaS, but this is still a topic of speculation.

Tim Wade, Technical Director at Vectra, tells us:

From a distance, the emergence of a master key may appear more comforting than it should. The value of accelerating the restoration of data and services shouldn’t be trivialized, but it won’t exactly erase the already extensive cost of these attacks. And this is a cost carried both in terms of the historic disruption, but also given the proclivity of these criminal operators to leave lingering backdoors, the ongoing need to rebuild compromised infrastructure into a clean, trustworthy state. So yes, sidestepping how this key may have been acquired, it may have some positive outcomes but as they say – it isn’t over ‘til it’s over.

More time will be needed to evaluate this case and appreciate the possibility of a fundamental shift in the ransomware space. At the moment, it appears that even if several larger groups have gone offline, the ransomware threat is never really mitigated as others jump in to fill in the gap. Potentially, those “others” are just re-spins and re-brandings of the same crooks.

For Kaseya, this incident was a highly damaging one, pulling the rug under the feet of entities that trusted the firm and thought that relying on a managed service provider would be a good idea, even from a security perspective. REvil asked the firm to pay them $70 million in ransom for a universal decrypter, as the group couldn’t possibly handle negotiations with thousands of companies. Even if Kaseya paid that amount and no matter what level of support they will provide to the clients in terms of restoring their files, restoring their trust will be a lot more challenging.


Add a Comment
Related Posts

New RaaS Called ‘BlackMatter’ Emerges to Fill the Gap Left by REvil and DarkSide


July 28, 2021

“REvil” Displays Power and Size With $1 Million Deposit on Forum


September 28, 2020

‘Asteelflash’ Hit by REvil and Asked $24 Million Ransom


April 3, 2021

Researchers Say ‘Prometheus’ Is Not Related to ‘REvil’ in Any Apparent Way


June 10, 2021

The “Thanos” RaaS Is Moving Forward and Growing in Popularity


June 11, 2020

Someone Has Leaked the Key Used by REvil in the Kaseya Attack


August 11, 2021

© TechNadu 2024. All Rights Reserved.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari