Kaseya obtains REvil decryptor, starts customer data recovery operations
Image: Tim Mossholder
Catalin Cimpanu July 22, 2021

Kaseya obtains REvil decryptor, starts customer data recovery operations

Kaseya obtains REvil decryptor, starts customer data recovery operations

Remote management software vendor Kaseya said today it obtained a universal decryptor for the REvil ransomware and is now in the process of helping customers recover their encrypted data following a major ransomware attack that targeted its on-premises VSA servers on July 2 this year.

In a phone call today, a Kaseya spokesperson told The Record it obtained the decrypter from a “trusted third-party,” but declined to elaborate further, for the moment.

The company said it obtained the decryptor yesterday, verified that the decryption tool worked properly, and has begun shipping it to affected customers earlier today.

In an update on July 6, the Kaseya CEO said that around 60 of its direct customers, users of VSA servers, were impacted in the July 2 attack.

Hackers used a zero-day to gain access to Kaseya VSA on-premise servers and then pivoted to workstations managed through the VSA software, deploying a version of the REvil ransomware on those systems and encrypting their files.

Since most of Kaseya’s customers are managed service providers, companies that provide IT support to their own customers, Kaseya said that the number of companies impacted in the July 2 attack was most likely between 800 and 1,500, based on its estimation.

Two days after the attack, the REvil ransomware gang took credit for the incident, and because it couldn’t negotiate ransom payments with all of the ~1,500 customers at the same time, it asked for a $70 million payment for a universal decrypter to recover files from all victims—something that was technically possible because of a clever design of its encryption procedures, as explained by Emsisoft CTO Fabian Wosar.

On July 13, nine days after it made its payment demand, the REvil gang took down all of its server infrastructure and disappeared from forums and the dark web, which caused panic among many of the companies impacted in the attack, with many finding themselves in a situation where they couldn’t recover their data even if they were willing to pay for a separate individual decryptor.

At the time of writing, it is unclear if Kaseya paid the ransom demand to the REvil gang through backchannel negotiations, if the REvil gang provided the decrypter for free, or if the decrypter was obtained by a security firm or law enforcement agency through other means.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.