Kaseya, the company that got hit by a large-scale REvil ransomware attack, says it has obtained the official decryption key, three weeks after the attack took place.
Kaseya Obtains Universal Decryptor
“On 7/21/2021, Kaseya obtained a decryptor for victims of the REvil ransomware attack, and we’re working to remediate customers impacted by the incident,” the official statement said.
The company says the tool came from a third party. Currently, Kaseya is helping its customers to restore their environments, with no reports of any issues stemming from the decryptor. “Kaseya is working with Emsisoft to support our customer engagement efforts, and Emsisoft has confirmed the key is effective at unlocking victims,” the statement added.
About the Kaseya Attack
Even though the REvil cyber gang claimed it had infected 1 million systems running Kaseya services, federal authorities said the number of infected entities is in the thousands. Approximately 1,500 systems were victimized by the attack. Kaseya also said the attack was not supply chain ruling out the possibility of access to its backend infrastructure, but it is rather based on the CVE-2021-30116 zero-days. The zero-days were leveraged in a way that successfully pushed the REvil ransomware on vulnerable systems.
On July 12, Kaseya released patches for the vulnerabilities, 10 days after the initial attack. “Fixed security vulnerabilities related to the incident referenced here and made other updates to improve the overall security of the product,” Kaseya said in its advisory.
Kaseya VSA is a virtual system/server administrator software that monitors and manages Kaseya customers’ infrastructure. The product can be supplied either as a hosted cloud service, or via on-premises VSA servers.
It is curious to mention that in 2019 the GandCrab ransomware gang used a few-year-old vulnerability in a software package used by remote IT support firms to gain a foothold on vulnerable networks. The said flaw was utilized to grant access to vulnerable networks and distribute the ransomware payload. The flaw in question affected the Kaseya plugin for the Connectwise Manage software, a professional service automation product for IT support.