Many victims of the Kaseya ransomware attack are still recovering, but one victim faces a particularly difficult problem.
Mike Hamilton, former CISO of Seattle and now CISO of ransomware correction firm Critical Insight, told ZDNet that a customer who did not want to be named was one of the few Kaseya victims who paid a ransom to the REvil ransomware group .
Hamilton stated that the company paid the ransom and received the decryption keys from REvil, but found they weren’t working. REvil typically offers a help desk feature that helps victims get their data back.
But REvil made news this week when all of their websites went darkwhich led to widespread speculation about why they may have closed the store.
Now that REvil is out of operation, the company has few options to address its problem, Hamilton said.
“Some of our customers just got away with it. If you had this agent installed on unimportant computers, you simply rebuilt it and brought it back to life. But we got a 911 call a few days ago from a company that was hit hard because they had it. ”A company that used the Kaseya VSA to manage many of their servers. They got a lot of their servers attacked and had a lot of information about them, so they brought in their insurance company and decided to pay the ransom, “said Hamilton.
“They got their decryption key and when they started using it they found that it worked in some places and not in others. These ransomware gangs have customer support but all of a sudden they went dark so there is no help and these people are just stuck. You will end up losing a lot of data and you will end up spending a lot of money building your network from scratch. “
ZDNet contacted several cybersecurity experts and companies to find out if other Kaseya victims have faced similar problems. But almost all those contacted stated that most of the victims did not pay a ransom and that they had not seen any other company going through a similar problem.
Hamilton said that due to the size of the attack – according to estimates approx. 1,500 organizations were affected – there had to be others who paid the ransom but are now struggling to decrypt their files without the help of REvil’s support systems.
Recorded Future ransomware expert Allan Liska theorized that REvil hadn’t anticipated all of these individual computer infections and was ill-prepared to perform every single decryption.
After the attack, there was significant discussion on the internet about whether a decryption key would work for all Kaseya victims. Experts said it was It is absolutely possible that REvil created separate decryption keys for every victim, but the ransomware group eventually signed up to make a universal decryptor for Kaseya. to offer a ransom of $ 70 million.
“My guess is [REvil] has crappy decryptor key management so they may not know which key to give to each and every victim. They may have given the wrong keys to the few $ 45,000 victims who paid, ”Liska said.
Hitesh Sheth, Vectra CEO, said his team had seen descriptions of elaborate customer support channels run by ransomware bandits, but noted that REvil’s disappearance is further evidence that these groups are “out to make money.” to earn and not to bring their sacrifices back to strength “.
Hamilton said the situation in which the company is unable to get its decryptor working is “the result of well-intentioned federal policy that has caused a lot of collateral damage.”
While both US authorities and Russian officials have denied any involvement in the disappearance of REvil, Hamilton said he believes the gang has gone dark because the discussion about ransomware in the US has changed in recent months.
Although he believes it is a possibility that the people behind REvil quit of their own accord, he said it is more likely that Russian government officials are putting pressure on REvil due to increased pressure from the Biden government.
“This particular predicament that many companies are in right now is the result of collateral damage to our changes in federal policy. Who knows? This could have been a deliberate act on the way out, do this huge thing and then we’ll be the last slap in the eye. ‘ But I will still say that this is the result of our change in policy and how that affects Vladimir Putin’s conversation with his intelligence officials, “said Hamilton.
“It was just so timed that right after that shotgun explosion it left a lot of people dry. Other companies in this particular situation right now are likely just going to lose data and they will have to” “rebuild from scratch, and this could drive some companies out of business. “
#Kaseya #victim #struggles #decryption #REvil #dark #ZDNet