- ‘Kaseya’ has somehow acquired a valid universal decryption key to unlock the files attacked by REvil.
- By this point, many clients have already restored their systems on their own, using backups or through rebuilds.
- No details were given to the public, but the possible scenarios around what may have happened are very specific.
‘Kaseya’ is apparently on the verge of getting unstuck from the muddy situation it entered at the start of the month, after a REvil attack on its systems resulted in the compromise of 1,500 businesses and organizations using its VSA product. According to the most recent reports, Kaseya has somehow received a universal master key to unlock the encrypted filesystems, so the restoration process is already underway. By now, though, many of the victims have already restored from backups or rebuilt their networks from scratch.
The software firm hasn’t given an official explanation about how exactly they obtained the key, but the possible scenarios are very specific. The actors may have decided to hand them over due to failed negotiations, the company may have paid a ransom, a respectable number of clients may have paid a ransom, or the law enforcement authorities in Russia have worked underground to press REvil to end this operation. This ransomware group went offline inexplicably 10 days ago, so something significant has happened to the RaaS, but this is still a topic of speculation.
Tim Wade, Technical Director at Vectra, tells us:
From a distance, the emergence of a master key may appear more comforting than it should. The value of accelerating the restoration of data and services shouldn’t be trivialized, but it won’t exactly erase the already extensive cost of these attacks. And this is a cost carried both in terms of the historic disruption, but also given the proclivity of these criminal operators to leave lingering backdoors, the ongoing need to rebuild compromised infrastructure into a clean, trustworthy state. So yes, sidestepping how this key may have been acquired, it may have some positive outcomes but as they say – it isn’t over ‘til it’s over.
More time will be needed to evaluate this case and appreciate the possibility of a fundamental shift in the ransomware space. At the moment, it appears that even if several larger groups have gone offline, the ransomware threat is never really mitigated as others jump in to fill in the gap. Potentially, those “others” are just re-spins and re-brandings of the same crooks.
For Kaseya, this incident was a highly damaging one, pulling the rug under the feet of entities that trusted the firm and thought that relying on a managed service provider would be a good idea, even from a security perspective. REvil asked the firm to pay them $70 million in ransom for a universal decrypter, as the group couldn’t possibly handle negotiations with thousands of companies. Even if Kaseya paid that amount and no matter what level of support they will provide to the clients in terms of restoring their files, restoring their trust will be a lot more challenging.