Kaseya offers universal decryptor to customers following ransomware attack

Hope it didn’t cost them $70 million…

Graham Cluley
@gcluley

Remember this?

Following a hard-hitting ransomware attack that impacted corporate customers of Kaseya, the REvil ransomware gang offered a universal decryptor for the eyewatering sum of $70 million worth of Bitcoin.

Yesterday, Kaseya announced that it had “obtained a universal decryptor key” and was making it available to customers who are attempting to recover their systems and data:

Kaseya has obtained a universal decryptor key.

On 7/21/2021, Kaseya obtained a decryptor for victims of the REvil ransomware attack, and we’re working to remediate customers impacted by the incident.

We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor. Kaseya is working with Emsisoft to support our customer engagement efforts, and Emsisoft has confirmed the key is effective at unlocking victims.

We remain committed to ensuring the highest levels of safety for our customers and will continue to update here as more details become available.

Customers who have been impacted by the ransomware will be contacted by Kaseya representatives.

Kaseya seems keen to indicate that it did not receive the decryptor directly from the REvil gang – but through a third-party instead.

Sign up to our newsletter
Security news, advice, and tips.

Of course, that doesn’t mean that the unnamed third-party didn’t act as a proxy, perhaps paying REvil for the all-important code. That wouldn’t be without precedent – as there are a number of firms who have no qualms about negotiating on behalf of ransomware-hit organisations with criminal gangs.

And even if that is the case, it doesn’t mean that $70 million has been paid. In fact, I find that highly unlikely. Even in the immediate aftermath of the attack, REvil made clear that it was prepared to negotiate on the price of a universal decryptor.

Furthermore, it’s possible that no money has been paid at all. Maybe REvil had a change of heart and decided to hand over a universal decryptor for free? (I doubt it…) Or maybe someone else managed to get hold of the decryptor through means which have not been made public as yet?

There’s more to this story, and I hope we find out what happened.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.