Kaseya, the Amercian IT management company whose software was exploited in a devastating ransomware attack earlier this month, has received a universal key that will decrypt all of the more than 1000 businesses and public organisations crippled in the global incident.
Kaseya spokeswoman Dana Liedholm would not how the key was obtained or whether a ransom was paid. She said only that it came from a “trusted third party” and that Kaseya was distributing it to all victims. The cybersecurity firm Emsisoft confirmed that the key worked and was providing support.
Ransomware analysts offered multiple possible explanations for why the master key, which can unlock the scrambled data of all the attack’s victims, has now appeared. They include: Kaseya paid; a government paid; a number of victims pooled funds; the Kremlin seized the key from the criminals and handed it over through intermediaries; or perhaps the attack’s principle protagonist didn’t get paid by the gang whose ransomware was used.
The Russia-linked criminal syndicate that supplied the malware, REvil, disappeared from the internet on July 13. That likely deprived whoever carried out the attack with income because such affiliates split ransoms with the syndicates that lease them the ransomware.
Loading
In the Kaseya attack, it’s believed the malware flowed through to many more systems and caused much more damage than the syndicate was expecting, overwhelming it with ransom negotiations. In an unusual move, it decided to ask Kaseya for around $90 million for a master key that would unlock all infections.
By now, many victims will have rebuilt their networks or restored them from backups.
It’s a mixed bag, Liedholm said, because some “have been in complete lockdown.” She had no estimate of the cost of the damage and would not comment on whether any lawsuits may have been filed against Kaseya. It is not clear how many victims may have paid ransoms before REvil went dark.
The so-called supply-chain attack of Kaseya was the worst ransomware attack to date because it spread through channels that so-called “managed service providers” use to administer multiple customer networks, delivering software updates and security patches.