Kaseya – the vendor of remote management software at the center of a ransomware operation that has infected up to 1,500 downstream networks – said it received a decryptor that encrypts data during the July 4th attack over the weekend should restore successfully.
Partners with REvil, one of the Internet’s most breakneck ransomware groups, exploited a critical zero-day vulnerability in the VSA remote management product from Miami, Florida-based Kaseya. The vulnerability – which Kaseya was days away from patching – allowed ransomware operators to compromise the networks of around 60 customers. From there the blackmailers infected up to 1,500 networks who were dependent on the 60 customers for services.
Finally a universal decryptor
“We received the decryptor yesterday from a trusted third party and have successfully used it with affected customers,” wrote Dana Liedholm, Senior Vice President of Corporate Marketing, in an email on Thursday morning. “We provide technical support for using the decryptor. We have a team that reaches out to our customers and I don’t have any further details at the moment. “
In a private message, threat analyst Brett Callow of security firm Emsisoft said, “We are working with Kaseya to support their customer loyalty efforts. We have confirmed that the key is effective in unlocking victims and will continue to support Kaseya and its customers. “
REvil had asked for up to $ 70 million for a universal decryptor that would restore the data of all organizations compromised in the mass attack. Liedholm declined to say if Kaseya paid any amount in exchange for the decryption tool. Kaseya has since patched the zero-day used in the attack.
Currently, it is not publicly known whether Kaseya paid or received the ransom for free from REvil, a law enforcement agency, or a private security company.
In the days following the attack, REvil’s dark web site, along with other infrastructure the company uses for technical support and payment processing, suddenly went offline. The inexplicable outcome made victims and researchers fear that the data would remain locked forever as the only people with the ability to decipher it had disappeared.
Where did that come from?
REvil is one of several ransomware groups believed to be operating out of Russia or another Eastern European country that was formerly part of the Soviet Union. The group’s disappearance came days after President Joe Biden warned his Russian counterpart, Vladimir Putin, that the US could take unilateral action against them if Russia fails to curb these ransomware groups.
Observers have since speculated that either Putin pressured the group to keep quiet or the group, shaken by all the attention it received from the attack, decided to do so on its own.
REvil is also behind a crippling attack on JBS, the world’s largest meat producer. The violation caused JBS to temporarily close some plants.
#Kaseya #master #decryptors #customers #suffering #REvil #attacks