[BreachExchange] Kaseya obtains universal decryptor for REvil ransomware victims

[Sophia Kingsbury]

https://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/

Kaseya received a universal decryptor that allows victims of the July 2nd
REvil ransomware attack to recover their files for free.

On July 2nd, the REvil ransomware operation launched a massive attack by
exploiting a zero-day vulnerability in the Kaseya VSA remote management
application to encrypt approximately sixty managed service providers and an
estimated 1,500 businesses.

After the attack, the threat actors demanded $70 million for a universal
decryptor, $5 million for MSPs, and $40,000 for each extension encrypted on
a victim's network.

Soon after, the REvil ransomware gang mysteriously disappeared, and the
threat actors shut down their payment sites and infrastructure.

While most victims were not paying, the gang's disappearance prevented
companies who may have needed to purchase a decryptor unable to do so.

Today, Kaseya has stated that they received a universal decryptor for the
ransomware attack from a "trusted third party" and are now distributing it
to affected customers.

"We can confirm we obtained a decryptor from a trusted third party but
can’t share anymore about the source," Kaseya's SVP Corporate Marketing
Dana Liedholm told BleepingComputer.

"We had the tool validated by an additional third party and have begun
releasing it to our customers affected."

While Kaseya would not share information about the key's source, they
confirmed with BleepingComputer that it is the universal decryption key for
the entire attack, allowing all MSPs and their customers to decrypt files
for free.

When asked whether they paid a ransom to receive a decryptor, Kaseya told
BleepingComputer that they "can’t confirm or deny that."

It is unclear what caused the REvil ransomware operation to shut down and
go into hiding, and multiple international law enforcement agencies have
told BleepingComputer that they were not involved in their disappearance.

After the attack on JBS and Kaseya, the White House's has pressured the
Russian government to do something about the ransomware gangs believed to
be operating within Russia.

It is believed that the Russian government told the REvil ransomware gang
to shut down and disappear to show that they were working with the USA.

As the decryptor was obtained after the REvil gang's disappearance, it is
possible that Russia received it directly from the ransomware gang and
shared it with US law enforcement as a gesture of goodwill.

REvil's disappearance is likely not the end of the gang's online activities.

In the past the GandCrab ransomware operation shut down and rebranded as
REvil, and it is expected that REvil will resurface again as a new
ransomware operation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210722/7812df12/attachment.html>