Kaseya, victim of ransomware, obtains the master key to unblock networks
Kaseya, the American IT management company whose software was exploited in a devastating ransomware attack earlier this month, received a universal key that will decrypt the more than 1,000 companies and public organizations crippled in the global incident.
Kaseya spokeswoman Dana Liedholm did not want to know how the key was obtained or if a ransom was paid. She only said that it came from a “trusted third party” and that Kaseya was distributing it to all victims. Cybersecurity firm Emsisoft confirmed that the key worked and was providing support.
Ransomware analysts offered multiple possible explanations for why the master key has now appeared, which can unlock the encrypted data of all victims of the attack. They include: Kaseya paid; a paid government; several victims raised funds; the Kremlin seized the key from the criminals and delivered it through intermediaries; Or perhaps the main protagonist of the attack was not paid by the gang whose ransomware was used.
The Russia-linked criminal syndicate that supplied the malware, REvil, disappeared from the internet on July 13. That likely starved the attacker of income because those affiliates split the ransoms with the unions that rent the ransomware from them.
In the Kaseya attack, the malware is believed to have flowed to many more systems and caused far more damage than expected by the union, overwhelmed by ransom negotiations. In an unusual move, he decided to ask Kaseya for around $ 90 million for a master key that would unlock all infections.
By now, many victims will have rebuilt their networks or restored them from backups.
It’s a mixed bag, Liedholm said, because some “have been completely blocked.” He did not have an estimate of the cost of the damages and would not comment on whether any lawsuits could have been filed against Kaseya. It is unclear how many victims may have paid ransoms before REvil was shut down.
The so-called Kaseya supply chain attack was the worst ransomware attack to date because it spread through the channels that so-called “managed service providers” use to manage multiple customer networks, delivering software updates and patches. of security.