Following a hard-hitting ransomware attack that impacted corporate customers of Kaseya, the REvil ransomware gang offered a universal decryptor for the eyewatering sum of $70 million worth of Bitcoin.
Yesterday, Kaseya announced that it had “obtained a universal decryptor key” and was making it available to customers who are attempting to recover their systems and data:
Kaseya has obtained a universal decryptor key.
On 7/21/2021, Kaseya obtained a decryptor for victims of the REvil ransomware attack, and we’re working to remediate customers impacted by the incident.
We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor. Kaseya is working with Emsisoft to support our customer engagement efforts, and Emsisoft has confirmed the key is effective at unlocking victims.
We remain committed to ensuring the highest levels of safety for our customers and will continue to update here as more details become available.
Customers who have been impacted by the ransomware will be contacted by Kaseya representatives.
Kaseya seems keen to indicate that it did not receive the decryptor directly from the REvil gang – but through a third-party instead.
Of course, that doesn’t mean that the unnamed third-party didn’t act as a proxy, perhaps paying REvil for the all-important code. That wouldn’t be without precedent – as there are a number of firms who have no qualms about negotiating on behalf of ransomware-hit organisations with criminal gangs.
And even if that is the case, it doesn’t mean that $70 million has been paid. In fact, I find that highly unlikely. Even in the immediate aftermath of the attack, REvil made clear that it was prepared to negotiate on the price of a universal decryptor.
Furthermore, it’s possible that no money has been paid at all. Maybe REvil had a change of heart and decided to hand over a universal decryptor for free? (I doubt it…) Or maybe someone else managed to get hold of the decryptor through means which have not been made public as yet?
There’s more to this story, and I hope we find out what happened.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.