Kaseya, the US software company that caused a mass ransomware event when its remote monitoring tool was hacked, is now offering free decryption to the estimated 1,500 affected organisations.
In a statement, the firm said it “obtained a decryptor” and was “working to remediate customers impacted by the incident”.
“We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor,” it said.
Exactly how Kaseya got a universal decryptor for the ransomware is uncertain.
Notorious ransomware group REvil – which was behind the Kaseya attack – offered to sell a universal decryptor for US$70 million in bitcoin, promising it could unlock all encrypted files from affected organisations if someone was willing to pay the money.
But a week after the incident, REvil went offline; its dark web leak sites and ransom pages suddenly disappearing from Tor services making it nearly impossible for victims to contact their attackers.
So, did Kaseya find a way to pay the high ransom for a decryption key? No. After days of speculation online and in the media, the company categorically denied paying for the decryption tool.
"While each company must make its own decision on whether to pay the ransom, Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack and we have not wavered from that commitment," the company said in a statement.
"As such, we are confirming in no uncertain terms that Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor."
The origins of Kaseya's decryptor remain unknown with some suggesting the company may have gotten a helping hand from US law enforcement.
The FBI has some form in this area. After all, it did take control of the bitcoin wallets used by ransomware group DarkSide following the disruptive Colonial Pipeline attack in what one agent described as a “relentless” campaign against the hackers.
US President Joe Biden has tried leaning on his Russian counterpart Vladimir Putin to stop harbouring the ransomware groups that apparently reside in the country and deliberately avoid infecting computers with Russian keyboard layouts.
But as it cleans up its mess, Kaseya is making sure organisations sign a non-disclosure agreement before getting access to the decryption key, according to a report from CNN, making it difficult to fully understand what happened.
IT teams in the US complained about what they perceived as poor communication from Kaseya regarding the decryptor, the CNN report said, saying they had spent thousands of hours fixing systems – time that they could have spent elsewhere had they known Kaseya was going to offer a free fix.
Customers of Kaseya who spent 2,000+ hours recovering from REvil ransomware are frustrated the company only yesterday (and to everyone's surprise) said it'd obtained a decryption key that could unlock their systems.
— Brian Fung (@b_fung) July 23, 2021
With @NatashaBertrand and @MarquardtA: https://t.co/Y0hrFXe6JY
“This would have been really nice to have three weeks ago,” the head of one managed service provider said.
“We’ve put in over 2,000 recovery hours now.”
Kaseya has come under fire following the supply chain attack that was delivered through its software.
Former employees recently claimed they warned the company about serious cyber security concerns including outdated code, and poor encryption and password management in its products – but were ignored by management.
Updated Tuesday, 27 July: added new statement from Kaseya denying it paid a ransom for the decryptor.