Almost three weeks there is, a ransomware attack against a little-known computer software company called Kaseya turned into a real epidemic, with pirates seize computers from up to 1,500 companies, including a large Swedish grocery chain. Last week, the notorious group behind the hack disappeared from the internet, leaving victims with no way to pay and free their systems. But now, the situation seems close to being finally resolved, thanks to the surprise appearance on Thursday of a universal decryption tool.
The July 2 hack was about as bad as it gets. Kaseya provides IT management software that is popular with Managed Service Providers (MSPs), which are companies that provide IT infrastructure to businesses that prefer not to take care of it themselves. By exploiting a bug in an MSP-focused software called Virtual System Administrator, the ransomware group REvil was able to infect not only these targets, but their customers as well, resulting in a wave of devastation.
In the weeks that followed, victims actually had two choices: pay the ransom to recover their systems or rebuild what had been lost through backups. For many sole proprietorships, REvil has set the ransom at around $ 45,000. He tried to shake up the MSPs for no less than $ 5 million. He also initially set the price of a universal decryptor at $ 70 million. The group would later return to $ 50 million before disappearing, presumably in an attempt to keep a low profile during a moment of high tension. When they disappeared, they took their payment portal with them. The victims remained stranded, unable to pay even if they wanted to.
Kaseya spokeswoman Dana Liedholm confirmed to WIRED that the company obtained a universal decryptor from a “trusted third party,” but she did not say who provided it. “We have a team that is actively working with our customers who have been impacted, and we will share more on how we will continue to make the tool available as these details become available,” Liedholm said in a mailed statement. electronic, adding that the awareness of victims had already started with the help of the antivirus firm Emsisoft.
“We are working with Kaseya to support their customer engagement efforts,” Emsisoft Threat Analyst Brett Callow said in a statement. “We have confirmed that the key is effective in unlocking victims and will continue to provide assistance to Kaseya and her customers.”
Security firm Mandiant has worked with Kaseya on remediation more broadly, but a spokesperson for Mandiant referred WIRED to Liedholm when asked for details on who provided the decryption key and how many victims still had it. need.
The ability to free any devices that remain encrypted is undeniably good news. But the number of casualties remaining to help at this point may be a relatively small part of the initial wave. “The decryption key is probably useful for some customers, but it’s probably too little too late,” says Jake Williams, technical director of security firm BreachQuest, which has several customers affected by the REvil campaign. This is because anyone who could reconstruct their data, through backups, payments or otherwise, probably would have done so already. “The cases where this is likely to help the most are where there is unique data on an encrypted system that simply cannot be meaningfully reconstructed in any way,” says Williams. “In these cases, we recommended that these organizations pay for decryption keys immediately if the data was critical. “
Many of the victims of REvil were small and medium-sized businesses; as MSP customers, they are by definition the ones who prefer to outsource their IT needs, which means they are less likely to have reliable backups readily available. Still, there are other ways to reconstruct the data, even if that means asking customers and suppliers to send in whatever they have and start from scratch. “It’s unlikely that anyone will have any hope for a key,” Williams said.