Almost three weeks before a ransomware attack against a little known IT software company called Kaseya wrapped in a full blown epidemic with hackers Confiscation of the computers of up to 1,500 companies, including a large Swedish grocery chain. Last week, the infamous group behind the hack disappeared from the internet, leaving victims unable to pay and share their systems. But now the situation seems almost definitively resolved thanks to the surprise appearance of a universal decryption tool on Thursday.
The July 2nd hack was as bad as it gets. Kaseya offers IT management software that is popular with managed service providers (MSPs). These are companies that offer IT infrastructure for companies that would rather not take care of it themselves. By exploiting a bug in MSP-oriented software called Virtual System Administrator, the ransomware group REvil was able to infect not only these targets but its customers as well, causing a wave of havoc.
In the weeks in between, victims practically had two options: pay the ransom to restore their systems, or rebuild the data lost through backups. For many individual companies, REvil set the ransom at around $ 45,000. It tried to shake off MSPs for up to $ 5 million. Also, the price of a universal decryptor was originally set at $ 70 million. The group would later drop to $ 50 million before disappearing, likely to stay low in a moment of high tension. When they disappeared, they took their payment gateway with them. The victims were stranded and unable to pay even if they wanted to.
Kaseya spokeswoman Dana Liedholm confirmed to WIRED that the company had received a universal decryptor from a “trusted third party”, but she did not specify who provided it. “We have a team that is actively working with our affected customers and we will share more about how we will continue to make the tool available once these details become available,” Liedholm said in an email statement, adding that contact with the victims has already begun. with the help of the antivirus company Emsisoft.
“We are partnering with Kaseya to support their customer loyalty efforts,” said Brett Callow, Emsisoft threat analyst. “We have confirmed that the key is effective in unlocking victims and will continue to support Kaseya and its customers.”
Security firm Mandiant has worked with Kaseya on a more comprehensive fix, but a Mandiant spokesperson referred WIRED back to Liedholm when asked for additional clarification on who provided the decryption key and how many victims still need it.
The ability to unblock any encrypted device is undeniably good news. But the number of victims who can still help at this point may only be a relatively small part of the initial wave. “The decryption key will likely be helpful to some customers, but it’s probably too little too late,” said Jake Williams, CTO of the security firm BreachQuest, which has several customers who were affected by the REvil campaign. That’s because anyone who could restore their data through backups, payment, or other means has likely already done so. “The cases where it probably helps the most are when there is some unique data on an encrypted system that simply cannot be reconstructed in any meaningful way,” says Williams. “In these cases, we recommended these organizations to pay for the decryption keys immediately if the data was critical.”
Many of the REvil victims were small and medium-sized businesses; As MSP customers, they are, by definition, the types who prefer to outsource their IT needs – which in turn means they may be less likely to have reliable backups. Still, there are other ways to recover data, even if that means asking customers and vendors to send everything they have and start over. “It’s unlikely anyone was hoping for a key,” says Williams.
#Kaseyas #ransomware #nightmare