Kaseya Denies Paying REvil Hackers For Decryption Tool

symantec cloud

Kaseya refused to negotiate with REvil ransomware gang, and has strongly denied paying a ransom in order to obtain decryptor tool

Miami-based software firm Kaseya has strongly denied it paid a ransom in order to obtain a decryption tool to help victims of the supply chain cyberattack.

Russia-based ransomware gang REvil launched an attack on Kaseya on 2 July, exploiting a zero-day vulnerability in the Kaseya VSA remote management application.

Kaseya’s software is used by thousands of businesses in the US and around the world, and the REvil attack succeeded in encrypting the systems of dozens of managed service providers and an estimated 800 to 1,500 businesses.

HSBC, security, hacking

Decrypt tool

Five hundred Swedish Coop supermarkets for example were forced to close after their cash registers, operated by an affected service provider, stopped functioning, and 11 schools in New Zealand were also involved in the disruption.

The REvil ransomware gang then demanded $70 million (£51m) in Bitcoin for a universal decryptor and smaller amounts for more limited fixes.

But the REvil gang mysteriously disappeared from the internet soon afterwards, shutting down its payment infrastructure so that organisations couldn’t buy a fix even if they had wanted to.

There is unconfirmed speculation that US cyber teams may have been responsible for the takedown.

Then last week Kaseya said it had received the universal decryption tool from a “trusted third party” and had it validated by an outside firm (said to be New Zealand-based computer security firm Emsisoft).

Kaseya said it is distributing the decryptor tool to those affected, but said it couldn’t disclose the source.

Kaseya reportedly declined to comment to Bleeping Computer on whether it had paid a ransom for the decryptor.

The tool was voluntarily given away by a “trusted partner” of REvil on behalf of the group’s leader, who calls himself “Unknown”, the BBC reported, citing a hacker who claims to belong to REvil’s inner circle.

The hacker said the gesture was part of a “new beginning”.

No payment

However the sudden appearance of the decryptor tool has triggered speculation that Kaseya had made a payment.

But the US firm on Monday firmly denied that speculation.

Throughout this past weekend, Kaseya’s Incident Response team and Emsisoft partners continued their work assisting our customers and others with restoration of their encrypted data,” said the firm in an update on its website.

“We continue to provide the decryptor to customers that request it, and we encourage all our customers whose data may have been encrypted during the attack to reach out to your contacts at Kaseya,” it said. “The decryption tool has proven 100 percent effective at decrypting files that were fully encrypted in the attack.”

“Kaseya has maintained our focus on assisting our customers, and when Kaseya obtained the decryptor last week we moved as quickly as possible to safely use the decryptor to help our customers recover their encrypted data,” it said.

And then it directly addressed the ransom payment rumours.

“Recent reports have suggested that our continued silence on whether Kaseya paid the ransom may encourage additional ransomware attacks, but nothing could be further from our goal,” it said. “While each company must make its own decision on whether to pay the ransom, Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack and we have not wavered from that commitment.”

“As such, we are confirming in no uncertain terms that Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor,” it concluded.