Kaseya obtained a universal decryptor for REvil ransomware attack

The REvil ransomware gang launched a massive supply chain attack against the cloud-based managed service provider platform Kaseya earlier this month, affecting both other MSPs using its VSA software and their clients.


MSPs use the VSA tool to help their customers with patch management and client monitoring.


The REvil ransomware operators, like earlier supply chain attacks, first hijacked Kaseya VSA’s infrastructure, then pushed out malicious updates for VSA on-premises servers to infect enterprise networks.


REvil attackers gained an authorized session by compromising the authentication bypass zero-day (CVE-2021-30116) in the web interface of the Kaseya VSA server.


The attackers then uploaded the payload and used SQL injection to run a command that installed the malicious updates.


The owners of systems affected in this campaign were first asked to pay $44,999 in Bitcoin to the ransomware operators.


They later shifted tactics and demanded a single $70 million ransom from all the victims.


Kaseya has now revealed that it has obtained a universal decryptor that would allow ransomware victims to retrieve their files for free.


Kaseya has now revealed that it has obtained a universal decryptor from a reputable third-party, allowing victims of the ransomware attack to restore their files for free.


The software company tested the tool and confirmed that it could effectively recover files encrypted by the REvil ransomware.


It is now offering the tool to its customers to assist them in restoring their encrypted systems.


The attack impacted less than 60 of the company’s clients and less than 1,500 businesses, according to the company.


“While impacting approximately 50 of Kaseya’s customers, this attack was never a threat nor had any impact to critical infrastructure. Many of Kaseya’s customers are managed service providers, using Kaseya’s technology to manage IT infrastructure for local and small businesses with less than 30 employees, such as dentists’ offices, small accounting offices and local restaurants. Of the approximately 800,000 to 1,000,000 local and small businesses that are managed by Kaseya’s customers, only about 800 to 1,500 have been compromised.” reads a statement published by the company.


Since the majority of Kaseya’s customers are managed service providers, or organizations that provide IT assistance to their own customers, Kaseya estimated that between 800 and 1,500 businesses were impacted by the July 2 attack.


The infrastructure and websites employed by the REvil ransomware group were unexpectedly inactive from the night of July 13.


At the same time, the Tor leak site, the payment website “decoder[.]re,” and their backend infrastructure went down.


The existence of a universal decryptor has recently made headlines, although the company has not stated whether it received the technology after paying the ransom.


We can’t rule out the possibility that the REvil operators distributed the decryptor for free to avoid government and law enforcement pressure.




You might also like:

REvil ransomware gang’s websites shut down: Report

Kaseya issued fixes for flaws exploited in REvil ransomware attack