The American software maker Kaseya has obtained a “universal decryptor key” for files affected by the ransomware attack mounted by the hacker group REvil. The company claims that it did not pay the attackers a ransom, and the key was provided to it by a “trusted third party”.
On July 2, Kaseya’s experts advised their clients to disconnect the software due to a potential attack, which was subsequently confirmed. Later, on REvil’s website there appeared a ransom demand of $70 million in bitcoins for decrypting the files of all victims.
On July 22, nineteen days after the initial infection, the company received a decryptor key from a “trusted third party,” NBC News journalist Kevin Collier said, citing a Kaseya representative. According to him, about 1,500 organizations were affected by the attack.
News: Kaseya, the patient zero company for REvil’s 1,500-company 4th of July ransomware spree, finally obtained a REvil decryptor key yesterday. 19 days after it was first infected.
Got it from “a trusted third party,” a spox says. Company is working to remediate customers now.
— Kevin Collier (@kevincollier) July 22, 2021
Emisoft, a cybersecurity-focused company that collaborates with Kaseya, confirmed to Collier the decryptor’s effectiveness.
According to a July 26 statement, the software developer, together with Emisoft, provides decryptors to affected customers upon request. The company stressed that the key “proved 100% effective in decrypting files that had been fully encrypted during the attack.”
“After consulting with experts, Kaseya decided not to engage in negotiations with the criminals who carried out this attack […]. Thus, we can unequivocally confirm that the company did not pay a ransom—either directly or indirectly through third parties—to obtain the decryptor,” the statement reads.
Collier speculated that American or Russian authorities may have been involved. He also noted that Emisoft has only an indirect role in decrypting the files, providing clients with the key obtained from Kaseya.
To be clear, Emsisoft — the company that built the software that uses this key to clean up victims from that last REvil spree — did not provide Kaseya with the key. It’s the other way around.
— Kevin Collier (@kevincollier) July 26, 2021
Earlier REvil’s darknet sites abruptly went offline. Among the resources that went offline were Happy Blog, used for publishing data about victims, as well as portals for discussing the ransom amount and receiving payments.
This occurred after a phone call between the U.S. and Russian presidents. Joe Biden urged Vladimir Putin to halt ransomware attacks launched from Russian territory against American companies. Later, Biden affirmatively answered the question about the possibility of disconnecting the hackers’ servers by the United States.
According to Ransomwhere, more than $45 million in cryptocurrency has been sent to addresses associated with the ransomware operators. The REvil group is one of the largest operators of ransomware — victims sent more than $12 million to its coffers.
As Bloomberg reports, to counter the ransomware threat the Biden administration intends to track ransoms paid by victims of attacks, according to Bloomberg. The White House is said to have formed a ransomware task force.
Follow ForkLog’s bitcoin news on our Telegram — cryptocurrency news, prices and analysis.