A massive ransomware attack against managed service providers (MSPs) that started on July 2 had largely been controlled nearly three weeks later when remote management software firm Kaseya announced it had a working decryption tool and provided it to companies that signed a nondisclosure agreement.
The company has not disclosed where the decryption tool or the decryption key came from, but on Monday the firm stated that neither it nor a third party, on its behalf, had paid a ransom to the cybercriminals behind the attack. The company also stated the decryption tool has been "100% effective in decrypting files" that were encrypted during the ransomware attack.
The company remains committed to not rewarding the cybercriminals behind the attacks, the firm stated in its July 26 statement.
"While each company must make its own decision on whether to pay the ransom, Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack and we have not wavered from that commitment," the company said in its statement. "As such, we are confirming in no uncertain terms that Kaseya did not pay a ransom — either directly or indirectly through a third party — to obtain the decryptor."
On July 2, cybercriminals either working with, or as part of, Russia-linked ransomware gang REvil, used three vulnerabilities in Kaseya's System Administrator (VSA) software to gain access to between 50 and 70 VSA servers, most deployed by managed service providers and connected directly to the Internet. The attackers then used the servers to infect systems at the MSP's clients — typically, small businesses. At least 1,500 businesses are thought to have been impacted by the attack. The REvil gang set a ransom of $70 million and boasted on its blog that 1 million endpoints had been encrypted — a damage figure that security experts did not think credible.
While those numbers seem large, the attack could have been worse. The Dutch Institute for Vulnerability Disclosure (DIVD) — which found at least one of the three flaws eventually used in the attack, and informed Kaseya in April — had scanned the Internet for vulnerable servers, discovering that more than 2,200 systems could be attacked, the group stated in a blog post.
Yet only a fraction of those systems were actually compromised.
"What we do know ... is that the blast radius for this incident was significantly smaller than what it could have been," John Hammond, senior threat researchers at Huntress Labs, stated in a blog post. "We can be thankful that this attack was relatively limited, but we can’t lose sight and not dig deeper to understand why so we can be better prepared for whatever the next threat is."
The DIVD had worked with Kaseya to close the flaw and determine the likely size of the attack surface area of the vulnerability. At the end of three months, the company was not ready to release a patch and struggled to produce one after the attack, a process that took more than nine days.
Affected managed service providers, however, had worked overtime to restore their clients' systems using backups. By the time, Kaseya had obtained a working decryption tool, a significant fraction of companies had recovered the lion's share of their data.
"At this point it's too-little-too-late for basically everyone who was ransomed," says Chris Bisnett, co-founder and chief technology officer at Huntress Labs. "Unless they saved off encrypted files with the hopes that they could get them decrypted later and started from scratch, everyone has almost surely restored from backups. And if they haven't, they have been down for a few weeks."
Bisnett speculated that the FBI or intelligence community could have given the decryption key to Kaseya, speculation fueled by the mysterious disappearance of REvil sites and forum on July 13. However, there has been no confirmation of US involvement in a takedown.
For its part, Kaseya released to statement to head off speculation, the company said.
"Kaseya has maintained our focus on assisting our customers, and when Kaseya obtained the decryptor last week we moved as quickly as possible to safely use the decryptor to help our customers recover their encrypted data," the company said in its statement. "Recent reports have suggested that our continued silence on whether Kaseya paid the ransom may encourage additional ransomware attacks, but nothing could be further from our goal."