Remote management software firm Kaseya announced on July 22 that the company has obtained a universal decryption key for the ransomware that affected 50 to 60 managed service providers and more than 1,000 of those MSPs' downstream customers.
The Florida-based company confirmed that the decryption key — which Kaseya referred to as a software "tool" — successfully recovered systems encrypted by the ransomware. Kaseya is working with a third party, Emisoft, to reach out to affected customers and their clients and unlock any encrypted data.
So far, the tool has been used successfully without issues, Kaseya stated in a blog post.
"We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor," the company said.
The availability of the decryption tool marks the beginning of the end of an attack that affected more than a thousand companies, highlighted software supply chain weaknesses, and demonstrated the critical role that managed service providers play in defending companies against attacks.
On July 2, cybercriminals associated with the Russia-linked REvil group used a trio of vulnerabilities in Kaseya's Virtual System Administrator (VSA) servers to compromise organizations — many of them managed service providers (MSPs) — that had deployed the software as Internet-connected on-premises servers. Using the servers, the attackers then installed ransomware on the clients managed by the VSA systems, often infecting hundreds or thousands of endpoints at the affected MSPs' business clients.
While companies have worked for more than three weeks recovering from the July attack, the decryptor will aid in recovering data that had not been backed up before the attack, a worker at one MSP stated on condition of anonymity as the company had to sign a nondisclosure agreement with Kaseya to get access to the decryption tool.
"At this point, our clients are mostly recovered or fully recovered and in working order, and we have restored backups," the worker stated. "There may be some cases where there were documents not saved to a shared folder we are backing up and we are looking into that. In those situations, the decryptor will be helpful."
Kaseya would not say how it "obtained" the decryption tool and declined to say if it paid a ransom. "We can’t share any details about how and from whom we obtained the decryptor," Kaseya spokeswoman Dana Liedholm said in a response to Dark Reading.
The most likely explanation is that someone paid part of the ransom, whether Kaseya, a group of victims, or the government. Alternatively, the decryption key could have been seized in an offensive cyber operation or somehow discovered by security researchers.
The development comes after the REvil group's sites disappeared from the Internet on July 13. Several of the group's sites on the Dark Web have become unreachable as well. The cause of the outage is unclear, but came after US President Joe Biden put pressure on Russia President Vladimir Putin to investigate the criminal group, which is thought to operate from that country. Biden had also maintained that the United States could attack servers hosting ransomware groups.
The Kaseya breach could have been much worse. While about 2,200 on-premises servers appeared to be vulnerable to the exploit chain used by attackers, only 50 to 60 servers — most at managed service providers — were targeted in the attack. The Ransomware Task Force, an industry and policy group created in December 2020, considers the use of MSPs to amplify a ransomware attack to be a worst-case scenario.
While Kaseya did take steps once the company learned of the attack, after it triggered simultaneously across all compromised VSA servers at 12:30 p.m. ET, attackers had already compromised vulnerable systems, John Hammond, senior security researcher at Huntress Labs, stated in a blog post earlier this week.
"By the time VSA customers shut down their servers, any exploitation would have already been complete, and attacks would have happened as planned," he wrote. "Anecdotally, we have received reports of some customers finding remnants of the malicious stored procedures when bringing VSA servers back online; however, any order to shut down after [the triggering time of] 12:30 ET would not have minimized the number of compromised MSPs."
If Kaseya paid a ransom to gain access to the decryptor, the company will be failing to heed increasingly strident advice for companies to forgo dealing with cybercriminals, which funds their operations and attracts more ransomware activity. In May, oil and gas transport network Colonial Pipeline paid attackers $4.4 million to help it recover its systems, which had shut down its pipeline for over a week.