Almost three weeks Before, a ransomware attack on a a little-known IT company called Kaseya spiral into a full epidemic, with hackers seizure of computers of as many as 1,500 companies, including the main Swedish food chain. Last week, the notorious group behind the hacking disappeared from the Internet, and the victims had no way to pay and release their systems. But now it seemed that the situation was finally finally resolved, thanks to the surprising appearance of a universal decryption tool on Thursday.
The hacking on July 2 was about as bad as it gets. Kaseya offers IT management software that is popular among the so-called managed service providers, which are companies that offer IT infrastructure to companies that would rather not deal with it. By using a bug in software focused on an SME called Virtual System Administrator, the ransomware group REvil was able to infect not only those targets but also their customers, resulting in a wave of destruction.
In recent weeks, victims have had two choices: pay a ransom to recover their systems or restore what was lost by backups. For many individual companies, REvil bought the purchase for about 45,000 US dollars. He tried to bring down SMEs for as much as 5 million dollars. It also originally set the price of universal decryption at $ 70 million. The group will later descend to $ 50 million before disappearing, presumably in an attempt to descend during a moment of high tension. When they disappeared, they took their payment portal with them. The victims were left stranded, unable to pay even if they wanted to.
Kaseya spokeswoman Dana Liedholm confirmed to WIRED that the company had procured a universal decryptor from a “reliable third party”, but did not specify who delivered it. “We have a team that is actively working with our customers who have been affected and we will share more about how we will further make the tool available when those details become available,” Liedholm said in a statement sent by email, adding that contact with victims has already begun , with the help of the antivirus company Emsisoft.
“We are working with Kasey to support their customer engagement efforts,” threat threat analyst for Emsisoft Brett Callow said in a statement. “We have confirmed that the key is effective in unlocking victims and we will continue to support Kasey and her customers.”
Security company Mandiant is working with Kasey on a wider remediation, but Mandiant’s WIRED spokesman returned to Liedholm when asked for any further clarification on who gave the key to decipher and how many victims are still needed.
The ability to release any device that stays encrypted is undoubtedly good news. But the number of victims left to help at this point may be a relatively small fraction of the initial wave. “The decryption key is probably useful to some clients, but it’s probably too late,” says Jake Williams, chief technical officer of security firm BreachQuest, which has multiple clients affected by the REvil campaign. This is because anyone who could restore their data, by backups, payment or otherwise, could do so by now. “The cases that will probably help the most are the cases where there is some unique data on the encrypted system that just can’t be meaningfully restored in any way,” Williams says. “In these cases, we have recommended that these organizations pay for decryption keys immediately if the data is critical.”
Many of REvil’s victims were small and medium-sized businesses; as SME users, they are definitely the types who prefer to leave their IT needs, which in turn means they are less likely to have a reliable backup that will be available. However, there are other ways to recover data, even if it means asking customers and suppliers to send everything they have and start over. “Hardly anyone showed hope for the key,” Williams says.