Kaseya has obtained a universal decryptor for REvil ransomware and will be working with all customers affected by its July 2021 ransomware attack, which affected around 60 of its customers and an estimated 1,500 downstream businesses.
In early July, the REvil ransomware gang exploited one or more zero-day vulnerabilities in the Kaseya Virtual System/Server Administrator (VSA) platform, and then used the software update mechanism to gain access to the systems of its direct customers, and through them, the businesses that they serve. Customers in 22 countries were affected by the attack, many of which were managed service providers who used the VSA platform to manage the networks and software of their clients.
The REvil ransomware gang typically exfiltrates data prior to encryption, but in this attack, it is unclear if data exfiltration occurred. Following the attack, the REvil ransomware gang demanded a payment of $70 million for a universal decryptor that would work for all businesses affected by the attack, with MSPs individually charged $5 million and their clients $40,000; however, shortly after the initial demand was issued, it was reduced to $50 million.
A few days after the attack, on July 13, 2021, the websites used by the REvil gang mysteriously went offline, and the gang has been quiet ever since. Representatives of the REvil gang were also banned on many underground hacking forums.
Kaseya announced on Thursday that a universal decryptor had been obtained that will allow all affected customers to recover their files free of charge. Kaseya neither confirmed nor denied paying the ransom at the time, and said it was unable to share any information about the source of the decryptor. The decryptor has been validated as legitimate by a third party – Emsisoft – and Kaseya will be contacting affected customers to provide support and help them recover their files.
Update: Kaseya Did Not Pay Ransom
On July 26, 2021, Kaseya issued a statement confirming the ransom was not paid. “We are confirming in no uncertain terms that Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor,” said Kaseya. “Recent reports have suggested that our continued silence on whether Kaseya paid the ransom may encourage additional ransomware attacks, but nothing could be further from our goal. Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack, and we have not wavered from that commitment.”