Kaseya Ransomware Saga Mysteriously Comes to an End

Kaseya, the cloud supplier on the heart of a gargantuan ransomware assault on lots of of companies, introduced this week that it had some excellent news: Somehow, it had come into possession of a “universal decryptor” to unlock the entire knowledge affected by the current hack.

“We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor,” the corporate mentioned in a statement put out Thursday.

The query stays, nevertheless: Where did that decryptor come from?

To evaluate, the corporate was hit with ransomware this July 4 weekend and the Russian-speaking cybercriminal gang REvil subsequently claimed duty. The assault contaminated not simply Kaseya however its shopper base, which, in flip, contaminated its shopper’s purchasers—in the end affecting some 1,500 companies worldwide.

REvil subsequently demanded $70 million in change for a common decryption key to unlock the entire victims’ knowledge.

However, in a stunning twist, the gang then proceeded to disappear from the net. Indeed, lower than two weeks after REvil made its ransom demand, practically all traces of the cybercriminal group vanished from the web, together with its web site and cost portal.

Now, someway, Kaseya says it has managed to get ahold of the common decryption key, although it hasn’t explicitly mentioned how that occurred.

When requested by Gizmodo the place the important thing got here from, a Kaseya spokesperson reiterated that it had come from “a trusted third party.” When requested whether or not the corporate paid for the important thing, the spokesperson mentioned that the corporate couldn’t “comment to your question around payment.”

Even if the corporate had doled out the huge ransom, it’s not completely clear how or when an change would’ve occurred—since REvil has since “gone dark.” However, there are a pair theories floating round as to what could have occurred.

Some specialists have puzzled whether or not the Russian authorities “might have seized the key from the criminals and handed it over through intermediaries,” The Guardian writes. This appears believable, since we all know that the Kaseya incident impressed important political tensions between the White House and Kremlin. President Joe Biden reportedly had a curt dialog with Vladimir Putin not longer after the Kaseya assault, by which he requested the Russian chief to principally take duty for the cybercriminals working inside his nation’s borders.

Another hypothetical situation could possibly be that Kaseya truly paid the ransom fairly early within the extortion course of, thus exchanging the cash for the important thing. That would possibly clarify why REvil has since disappeared. That is, if it completed what it got down to do, why not take the cash and run?

All in all, it’s one other considerably mysterious decision to a large-scale ransomware assault—a pattern that appears to be more and more frequent. A equally obscure climax occurred in early June, when the FBI introduced that it had someway managed to trace and seize a majority of the ransom cost paid to the gang DarkSide after its assault on Colonial Pipeline. The feds by no means disclosed their strategies and, just like the scenario involving REvil, DarkSide proceeded to “go dark” across the similar time that the FBI seized its cash.