Kaseya Denies Paying REvil Hackers For Decryption Tool

Miami-based software firm Kaseya has strongly denied it paid a ransom in order to obtain a decryption tool to help victims of the supply chain cyberattack.

Russia-based ransomware gang REvil launched an attack on Kaseya on 2 July, exploiting a zero-day vulnerability in the Kaseya VSA remote management application.

Kaseya’s software is used by thousands of businesses in the US and around the world, and the REvil attack succeeded in encrypting the systems of dozens of managed service providers and an estimated 800 to 1,500 businesses.

Decrypt tool

Five hundred Swedish Coop supermarkets for example were forced to close after their cash registers, operated by an affected service provider, stopped functioning, and 11 schools in New Zealand were also involved in the disruption.

The REvil ransomware gang then demanded $70 million (£51m) in Bitcoin for a universal decryptor and smaller amounts for more limited fixes.

But the REvil gang mysteriously disappeared from the internet soon afterwards, shutting down its payment infrastructure so that organisations couldn’t buy a fix even if they had wanted to.

There is unconfirmed speculation that US cyber teams may have been responsible for the takedown.

Then last week Kaseya said it had received the universal decryption tool from a “trusted third party” and had it validated by an outside firm (said to be New Zealand-based computer security firm Emsisoft).

Kaseya said it is distributing the decryptor tool to those affected, but said it couldn’t disclose the source.

Kaseya reportedly declined to comment to Bleeping Computer on whether it had paid a ransom for the decryptor.

The tool was voluntarily given away by a “trusted partner” of REvil on behalf of the group’s leader, who calls himself “Unknown”, the BBC reported, citing a hacker who claims to belong to REvil’s inner circle.

The hacker said the gesture was part of a “new beginning”.

No payment

However the sudden appearance of the decryptor tool has triggered speculation that Kaseya had made a payment.

But the US firm on Monday firmly denied that speculation.

Throughout this past weekend, Kaseya’s Incident Response team and Emsisoft partners continued their work assisting our customers and others with restoration of their encrypted data,” said the firm in an update on its website.

“We continue to provide the decryptor to customers that request it, and we encourage all our customers whose data may have been encrypted during the attack to reach out to your contacts at Kaseya,” it said. “The decryption tool has proven 100 percent effective at decrypting files that were fully encrypted in the attack.”

“Kaseya has maintained our focus on assisting our customers, and when Kaseya obtained the decryptor last week we moved as quickly as possible to safely use the decryptor to help our customers recover their encrypted data,” it said.

And then it directly addressed the ransom payment rumours.

“Recent reports have suggested that our continued silence on whether Kaseya paid the ransom may encourage additional ransomware attacks, but nothing could be further from our goal,” it said. “While each company must make its own decision on whether to pay the ransom, Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack and we have not wavered from that commitment.”

“As such, we are confirming in no uncertain terms that Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor,” it concluded.

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Microsoft Executive Indicates Departmental Hiring Slowdown

Amid concern at the state of the global economy, a senior Microsoft executive tells staff…

2 days ago

Shareholders Sue Twitter, Elon Musk For Stock ‘Manipulation’

Disgruntled shareholders are now suing both Twitter and Elon Musk, over volatile share price swings…

2 days ago

Google Faces Second UK Probe Over Ad Practices

UK's competition watchdog launches second investigation of Google's ad tech practices, and whether it may…

2 days ago

Elon Musk Raises His Contribution To Twitter Acquisition

But one of Elon Musk's biggest backers on the Twitter board has tendered his resignation…

3 days ago

Broadcom Confirms VMware Acquisition For $61 Billion

Entry into cloud infrastructure software for US chip firm Broadcom after it confirms reports it…

3 days ago