Nearly three weeks In the past, against a ransomware attack Little-known IT software company Kaseya Get into a pandemic with hackers Seizure of the computers of up to 1,500 companies, Including a major Swedish grocery chain. Last week, the notorious organization behind the hackers disappeared from the Internet, leaving victims unable to pay and release their systems. But now the situation seems to be close to being finally resolved, thanks to a general decryption tool that unexpectedly appeared on Thursday.
The hack on July 2 was as bad as it is now. The IT management software provided by Kaseya is popular among so-called managed service providers (MSPs), which provide IT infrastructure to companies that do not want to handle IT infrastructure on their own. By exploiting vulnerabilities in the MSP-focused software called Virtual System Administrator, the ransomware organization REvil was able to infect not only these targets, but also their customers, leading to a wave of devastation.
In the next few weeks, victims actually have two options: pay a ransom to restore their system or rebuild what was lost through backup. For many individual businesses, REvil sets the ransom at approximately US$45,000. It tried to shake MSP at a price of up to $5 million. It also initially set the price of the universal decryptor at $70 million. The group later dropped to $50 million before disappearing, probably to keep a low profile during times of tension. When they disappeared, they took away their payment portal. The victims were stranded and unable to pay even if they wanted to.
Kaseya spokesperson Dana Liedholm confirmed to WIRED that the company obtained the universal decryptor from a “trusted third party,” but she did not specify who provided it. Liedholm said in an email statement: “We have a team that is actively working with affected customers and will share more information about how we will further provide the tool when these details become available,” adding that it has already started Contact with the victim, with the help of the antivirus company Emsisoft.
Emsisoft threat analyst Brett Callow said in a statement: “We are working with Kaseya to support their customers’ participation in the work.” “We have confirmed that the key can effectively unlock victims and will continue to provide it to Kaseya and its customers. support.”
The security company Mandiant has been working with Kaseya on a wider fix, but when asked to further clarify who provided the decryption key and how many victims still need it, a Mandiant spokesperson transferred WIRED back to Liedholm.
The ability to release all devices that maintain encryption is undoubtedly good news. But the number of victims left to help at this time may be only a small part of the initial wave. “The decryption key may be helpful to some customers, but it may be too late,” said Jack Williams, the chief technology officer of the security company BreachQuest, which has multiple customers hit in REvil activities. That’s because anyone who can rebuild data through backup, payment, or other means is likely to have done so now. “It may be most helpful in situations where there is some unique data on the encryption system that cannot be meaningfully reorganized in any way at all,” Williams said. “In these cases, if the data is important, we recommend that these organizations pay for the decryption key immediately.”
Many REvil victims are small and medium-sized enterprises; as MSP customers, they are clearly the type that likes to outsource their IT needs-which in turn means that they may not be likely to have a reliable backup readily available. Still, there are other ways to reconstruct the data, even if it means asking customers and suppliers to send whatever content they have and start from scratch. “It’s unlikely that anyone has hope for the key,” Williams said.