Kaseya, the Miami-based company in the center of a ransomware attack on hundreds of businesses over the July 4th holiday weekend, said Thursday it had received a key that customers can use to unlock access to their data and networks.
The secret is how the company got the key. Kaseya only said that it received the key from a “third party” on Wednesday and that it was “effective at unlocking victims.”
The development is one of the latest mysteries surrounding the Kaseya attack, in which a Russia-based ransomware group called REvil, short for Ransomware Evil, broke through Kaseya and used it as a channel to blackmail hundreds of Kaseya customers, including groceries and pharmacy chains in Sweden and two cities in Maryland, Leonardtown and North Beach.
The attack sparked emergency meetings at the White House and prompted President Biden to call Russian President Vladimir Putin and request that he address the ransomware attacks within his borders.
Within a few days of the call, REvil went dark. Gone was REvil’s “Happy Blog” which published emails and files stolen by REvil’s ransomware victims. The payment platform was over. Its most notorious members suddenly disappeared from cyber crime forums.
It is unclear whether REvil went offline at its own request or on the orders of the Kremlin, or whether the Pentagon hackers played a role in Cyber Command. But it was a loss to Kaseya’s victims, who were still negotiating to get data back, when their blackmailers suddenly disappeared.
Kaseya’s announcement that he had found the key was a welcome twist. When ransomware groups hand over decryption tools to victims who have fulfilled their extortion demands, the tools are often slow or ineffective. But in this case, Brett Callow, a threat researcher at EmsiSoft, a security firm that works with Kaseya, confirmed that the decryptor was “effective.”
José María Leon Cabrera and Julie Türkewitz Reporting contributed.