Security Experts:

Kaseya Obtains Universal Decryptor for Ransomware Attack Victims

IT management software maker Kaseya on Thursday said it obtained a universal decryptor that should allow victims of the recent ransomware attack to recover their files.

In early July, cybercriminals exploited vulnerabilities in a Kaseya product to deliver ransomware to MSPs who had been using that product, as well as to the customers of those MSPs. The company estimated that between 800 and 1,500 organizations received the ransomware, although some experts believe the actual number could be higher.

Tha attackers delivered the REvil ransomware, which encrypted files on compromised systems and asked victims to pay a ransom to recover them. However, victims that have not already paid up will now get help from Kaseya, after the company obtained a “universal decryptor key.”

“We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor,” Kaseya said.

It’s unclear how Kaseya got the decryptor, but the company said it was obtained from a “trusted third party.” Cybersecurity company Emsisoft verified the decryptor and confirmed that it works properly, Kaseya said.

It’s worth noting that the attackers also offered a universal decryptor that could allegedly be used to recover all encrypted files. They initially asked for $70 million for the universal decryptor, but some reports said the amount was later brought down to $50 million.

The Tor-based website used by the REvil ransomware gang to name victims and leak stolen data went offline roughly ten days after the attack on Kaseya, and it’s currently still down.

Due to the fact that the ransomware was delivered to victims via Kaseya software and it immediately started encrypting their data, the cybercriminals did not get a chance to steal information from compromised systems, as they did in past attacks. In addition, the ransomware in many cases failed to delete backups before encrypting files, which has apparently led to a majority of victims not paying the ransom demanded by the hackers.

After some delays, Kaseya released patches for the vulnerabilities exploited in the attack. The company had been aware of at least some of the flaws, but failed to patch them before the attack was launched.

While it has been described as one of the worst ransomware attacks ever, Kaseya has attempted to downplay the incident. It also came to light that this wasn’t the first time the company was targeted by hackers, and some claimed that in some cases the company did not treat cybersecurity issues as seriously as it should have.

Related: Continuous Updates: Everything You Need to Know About the Kaseya Ransomware Attack

Related: Emails Offering Kaseya Patches Deliver Malware

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.