Kaseya, the information technology company whose software was exploited to deliver the REvil strain of ransomware to its customers this month, announced that it obtained a universal decryption key that restores infected systems.
Almost three weeks after the crippling supply chain attack, Kaseya said Thursday that it recently acquired the decryptor’s key and was using it successfully to restore the systems of customers that remain affected.
“We can confirm that Kaseya obtained the tool from a third party and we have teams actively helping customers affected by ransomware restore their environments, with no reports of any issues or problems associated with the decryptor,” Kaseya stated on her website, adding . was working with Emsisoft, a New Zealand-based antivirus company that specializes in helping victims recover from ransomware attacks.
Kaseya offered no details on the origins of the decryptor. A spokesman for the Florida software company told reporters that the key came from a “trusted third party,” but did not specify further.
“We are working with Kaseya to support their customer engagement efforts,” Emsisoft said in a statement, adding that it “confirmed that the key is effective in unlocking the victims” of the large-scale ransomware attack.
REvil existed until recently as a ransomware-as-a-service operation. REvil developers licensed the custom malware to affiliates in exchange for a portion of the ransom payments received from their victims.
In addition to holding data hostage, REvil attackers also occasionally exfiltrated and later posted sensitive material stolen from victims online that the attackers said did not pay the requested sum.
Kaseya announced on July 3 that it was the victim of a “sophisticated cyber attack” in which its remote access software had been hacked and then used to attack its customers with the REvil strain of ransomware.
Up to 1,000 businesses were affected by the attack, Kaseya said, including Coop, a Swedish supermarket chain that said it was forced to close hundreds of its stores over several days.
The perpetrators told the victims of the attack to pay a ransom to regain access to the affected systems, and the websites associated with REvil later offered to sell a master decryption key for $ 70 million.
REvil disappeared on July 13, however, when all known websites and online infrastructure associated with the gang went offline, denying its victims a way to reach the perpetrators should they want to pay.
“We cannot share the source, but we can say that it is from a trusted third party,” Kaseya spokeswoman Dana Liedholm told reporters.
The White House says REvil was likely based in Russia. President Biden said he warned Russian President Vladimir Putin to control ransomware attacks coming from his country days before REvil disappeared.
The FBI warns ransomware victims not to pay.