Kaseya received a universal decryptor that enables victims of the REvil ransomware attack on July 2nd to restore their files for free.
On July 2nd, the ransomware operation REvil launched a massive attack by exploiting a zero-day vulnerability in the Kaseya VSA remote management application to encrypt approximately sixty managed service providers and an estimated 1,500 companies.
After the attack, the threat actors $ 70 million demanded for a universal decryptor, $ 5 million for MSPs, and $ 40,000 for each extension encrypted on a victim’s network.
Soon afterwards the REvil ransomware gang has mysteriously disappeared, and the threat actors shut down their payment pages and infrastructure.
While most of the victims did not pay, the gang’s disappearance prevented companies that might have had to buy a decryptor from being unable to do so.
Kaseya announced today that it has received a universal decryptor for the ransomware attack from a “trusted third party” and is now distributing it to affected customers.
“We can confirm that we have received a decryptor from a trusted third party, but we can no longer report the source,” Kaseyas SVP Corporate Marketing Dana Liedholm told BleepingComputer.
“We have had the tool validated by another third party and have started to release it to our affected customers.”
While Kaseya did not provide any information about the source of the key, it confirmed with BleepingComputer that it was the universal decryption key for the entire attack, allowing all MSPs and their customers to decrypt files for free.
When asked if they paid a ransom to get a decryptor, Kaseya told BleepingComputer that they “cannot confirm or deny it.”
It is unclear what caused the REvil ransomware operation to shut down and go into hiding, and several international law enforcement agencies have told BleepingComputer that they were not involved in its disappearance.
After this Attack on JBS and Kaseya that The White House has put pressure on the Russian government do something about the ransomware gangs believed to be operating in Russia.
The Russian government is believed to have ordered the ransomware gang REvil to shut down and go to show they were working with the US.
Since the decryptor was obtained after the REvil gang disappeared, it is possible that Russia received it directly from the ransomware gang and passed it on to US law enforcement as a gesture of goodwill.
REvil’s disappearance likely isn’t the end of the gang’s online activities.
In the past GandCrab ransomware operation has ended and renamed REvil, and REvil is expected to reappear as a new ransomware operation.
#Kaseya #Receives #Universal #Decryptor #REvil #Ransomware #Victims