Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management

Kaseya Obtains Decryption Tool After REvil Ransomware Hit

Software Vendor Said Approximately 60 MSPs and 1,500 Clients Affected by Attack
Kaseya Obtains Decryption Tool After REvil Ransomware Hit
Kaseya Executive Vice President Mike Sanders (Source: Kaseya)

Three weeks after its software was used to facilitate a massive ransomware attack, remote management software vendor Kaseya says it has obtained a universal decryption key to help victims.

See Also: Protecting Critical Data from Cyber Threats such as Ransomware with a Comprehensive Digital Vault Solution

Kaseya says the decryption tool will help the estimated 1,500 organizations affected by the attack, many of which are small businesses and have been struggling to restore their files from backups, or may have no backups at all.

To what does Kaseya owe this apparent saving grace? The software vendor would only say that it has obtained the decryptor from a third party, which it declined to identify. The company would not say if it paid a ransom to its attackers in exchange for the decryption tool, or if its insurer might have done so, or if the decryptor was provided for free.

Despite being able to help victims restore files, Kaseya, like other companies that have experienced breaches with knock-on effects, appears likely to face lawsuits alleging that it failed to have proper cybersecurity practices and defenses in place. By having obtained a universal decryption tool, however, as well as having already announced a program designed to help victims, the company is making a public effort to show that it's trying to help via every means possible.

Law enforcement officials and security experts continue to urge victims to never pay extortionists, and there were early signs Kaseya was trying to avoid paying the attackers. Mike Sanders, a Kaseya executive vice president, told cybersecurity blogger Brian Krebs on July 8 that the company had been counseled to not negotiate one ransom for a key to help all victims.

Many continue to hope that Kaseya did not go down that path. Because if so, the clear message to the cybercriminal world would be that ransomware continues to pay, provided you know how to get away with it, says Alex Holden, CISO of Hold Security, a Wisconsin-based consultancy that analyzes the cybercriminal underworld.

"I sincerely hope that Kaseya was able to get the decryption key without paying a ransom," Holden says.

Recovery: Easy for Some, Harder for Others

The ransomware attack unleashed on July 2 targeted remotely exploitable software vulnerabilities in Kaseya's Virtual System Administrator, or VSA, software being used by dozens of managed service providers and hundreds of their clients.

Kaseya first learned of the flaws after being notified by Dutch researchers three months prior, but had yet to deploy patches before disaster struck (see Kaseya Raced to Patch Before Ransomware Disaster).

Attackers affiliated with the REvil - aka Sodinokibi - ransomware operation used the vulnerabilities to exploit Kaseya's VSA software used by MSPs, up to 60 of which were infected. The MSPs run VSA servers, which communicate with VSA endpoint software running on clients' systems. By attacking the MSPs, the REvil affiliates were able to use the software to install malware on endpoints at up to 1,500 of the MSPs' client organizations.

Attackers hit only MSPs running the on-premises version of VSA. While Kaseya's software-as-a-service version of VSA appears to have had the same vulnerabilities, the company quickly deactivated its cloud-based software when the attack came to light, and those customers were not affected.

Early on, the REvil group offered a so-called universal decryptor that it claimed would decrypt every victim's crypto-locked systems in exchange for a $70 million ransom payment. Later, REvil appeared to lower the initial asking price to $50 million. Some cybercrime watchers speculated that victims and their insurers might collectively attempt to pool funds to obtain the key.

After the highly publicized attack, the REvil operation's infrastructure, including its darknet sites, went offline July 13. But it's unclear why. The Biden administration has welcomed REvil's current shutdown but says it doesn't know the cause. The White House also continues to press Russia to take action against ransomware-wielding criminals who may reside within its borders.

While the Kaseya attack was massive in scale, experts say some victims have already been able to recover. Unlike many ransomware attack groups, REvil appeared to be moving quickly to hit as many MSPs and their clients as possible. As a result, they appear to have stolen no data before crypto-locking systems. In addition, they didn't delete Volume Shadow Copies, which is a backup feature built into Windows. Security experts say that while having access to VSCs will be welcome, it does not mean that recovery via that route will be was easy, but at least it would be possible.

Some Kesaya-using MSPs, including Dutch MSP VelzArt, have been making all-out efforts to assist victims.

But numerous organizations have nevertheless remained stuck, says Allan Liska, an intelligence analyst with Recorded Future's computer security incident response team.

Liska says he has spoken with incident response companies dealing with the Kaseya incident. Those firms have told him that many smaller victims, such as dental clinics and law offices, are still struggling to rebuild their businesses from scratch. These organizations - in countries such as the U.S., Sweden, Australia and South Africa - are small enough that the disruptions don't make the news, Liska says.

One problem: These businesses may have contracted with MSPs for software deployment and patches - but not necessarily backups, Liska says. Also, some organizations that thought they had backups subsequently discovered they did not.

"It's all over the place," Liska says.

Working With Emsisoft

Kaseya says security firm Emsisoft has confirmed that the decryptor is effective. An Emsisoft spokesman says the company can't release information about how the key was obtained.

Emsisoft is a security firm that has extensive knowledge of ransomware and, most importantly, how to recover from it. Emsisoft also offers tools that can evaluate damage from ransomware - for example, whether crypto-locked files are recoverable -, so that victims can make a better-informed decision about whether paying for a decryption tool might be worth it, and if so, gain a better idea of how much to pay.

The security firm, however, says it does not offer negotiation services or facilitate payments to ransomware operations. Likewise, FireEye's Mandiant incident response team, which Kaseya brought in after the attack to assist, does not negotiate or help with payments.

For victims that do obtain a decryption tool, such software can be slow and buggy, or perhaps not work at all. After Colonial Pipeline Co. was hit by DarkSide ransomware in May, for example, it paid attackers $4.4 million for a decryption tool, only to find that restoring from backups was faster (see Colonial Pipeline CEO Confirms $4.4 Million Ransom Payment).

Emsisoft sells a flat-price software tool that it claims can make using a decryptor supplied by a ransomware operation - or obtained via other means - work faster and more reliably.

Full Recovery: No Guarantee

Ransomware-response experts, however, regularly caution that even with a working decryptor, 100% recovery of files cannot be guaranteed. Might the victims of the REvil ransomware distributed via Kaseya's software fare any differently?

"I can’t comment on the Kaseya case specifically, but I can comment on REvil in general," Fabian Wosar, CTO of Emsisoft, tells ISMG.

"REvil is one of the more reliable families out there. So the recovery rate, on average, is pretty high - as in the high nineties, percentage-wise," he says. "We have seen some more minor issues in the wild with REvil, like files that are just being renamed but not encrypted or files that are encrypted but not renamed, but nothing major - and these are generally just headaches and nuisances."

Wosar says for any given victim, however, there are no ironclad guarantees. "Any ransomware has the potential to damage data. REvil is no exception to this, and even though it is rare, we have seen files damaged by REvil before," he says.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Doug Olenick

Doug Olenick

News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to joining ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.asia, you agree to our use of cookies.