Kaseya Obtains Universal Decryptor After REvil Attack

CyberCrimeSecurity
HSBC, security, hacking

Kaseya begins distributing decryption tool to companies affected by REvil ransomware attack after criminal gang mysteriously disappears from internet

A decryption tool has been made available to the hundreds of companies affected by REvil’s hack of US software company Kaseya earlier this month.

Kaseya said it had received the universal decryption tool from a “trusted third party” and had it validated by an outside firm.

REvil launched an attack on Kaseya on 2 July, exploiting a zero-day vulnerability in the Kaseya VSA remote management application.

It succeeded in encrypting the systems of dozens of managed service providers and an estimated 800 to 1,500 businesses.

M2M: The Future of CybersecurityDisruption

Five hundred Swedish Coop supermarkets were forced to close after their cash registers, operated by an affected service provider, stopped functioning, and 11 schools in New Zealand were also involved in the disruption.

The REvil ransomware gang demanded $70 million (£51m) in Bitcoin for a universal decryptor and  smaller amounts for more limited fixes.

But the gang mysteriously disappeared from the internet soon afterward, shutting down its payment infrastructure so that organisations couldn’t buy a fix even if they had wanted to.

Kaseya said it is distributing the decryptor tool to those affected, but said it couldn’t disclose the source.

New Zealand-based computer security firm Emsisoft said it was the company that had validated the tool and is aiding Kaseya in its recovery efforts.

‘New beginning’

Kaseya declined to comment to Bleeping Computer on whether it had paid a ransom for the decryptor.

Diplomatic pressure exerted by the US on Russia, where REvil is believed to be based, may have contributed to REvil’s disappearance and to the decryptor being supplied.

The tool was voluntarily given away by a “trusted partner” of REvil on behalf of the group’s leader, who calls himself “Unknown”, the BBC reported, citing a hacker who claims to belong to REvil’s inner circle.

The hacker said the gesture was part of a “new beginning”.

REvil has previously disappeared and reappeared in other forms, and its recent suspension of activities is unlikely to be permanent.

Read also :
Click to read the authors bio  Click to hide the authors bio