Kaseya has received a universal key that will decrypt all of the more than 1,000 businesses and public organizations crippled in the global incident.
Kaseya spokeswoman Dana Liedholm would not say Thursday how the key was obtained or whether a ransom was paid. She said only that it came from a “trusted third party” and that Kaseya was distributing it to all victims. The cybersecurity firm Emsisoft confirmed that the key worked and was providing support.
According to AP News, cybersecurity researchers offered many explanations for why the master key has now appeared, including: Kaseya paid, a government paid, a number of victims pooled funds; the Kremlin seized the key from the criminals and handed it over through intermediaries, or perhaps the main attack didn't get paid by the gang whose ransomware was used.
Ivan Righi, Cyber Threat Intelligence Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, explains, "The supply-chain attack on Kaseya was initially discovered on July 2, 2021, when multiple managed service providers (MSPs) began reporting infections of the Sodinokibi ransomware. Two days later, REvil (aka Sodinokibi) made a post on "Happy Blog", the dark web site for the group, claiming responsibility for the attack. REvil stated that it had infected one million systems, and it requested USD 70 million in Bitcoin for a master decryption key. The group claimed that the universal decryptor would allow victims to recover from the attack in less than an hour."
Righi says, "The sudden appearance of this universal key suggests that it is possible that this ransom may have been paid, although it is likely that the ransom would have been negotiate to a lower price. While the master decryption key has been acquired, the attack should not be considered to be over. REvil is a group that is known to exfiltrate data from victims. Therefore, the group may still have copies of data stolen from victims. The group could use this data to extort victims or auction off the data, as it has done in the past on its website Happy Blog. However, the group's current activities are unknown since going dark on 13 July 2021, when their sites vanished and representatives got banned on prominent forums.
Righi adds, "This attack was a significant ransomware attack, and it is likely one of the most destructive attacks conducted to date. However, it is not the only ransomware supply-chain attack to occur this year. Previously, the Clop ransomware gang conducted a large-scale supply-chain attack via Accellion FTA software in February 2021 that affected numerous organizations."