Categories: Kaseyaransomware

The Kaseya Ransomware Nightmare Is Almost Over

Nearly three weeks ago, a ransomware attack against a little-known IT software company called Kaseya spiraled into a full-on epidemic, with hackers seizing the computers of as many as 1,500 businesses, including a major Swedish grocery chain. Last week, the notorious group behind the hack disappeared from the internet, leaving victims with no way to pay up and free their systems. But now the situation seems close to finally being resolved, thanks to the surprise appearance on Thursday of a universal decryption tool.

The July 2 hack was about as bad as it gets. Kaseya provides IT management software that’s popular among so-called managed service providers (MSPs), which are companies that offer IT infrastructure to companies that would rather not deal with it themselves. By exploiting a bug in MSP-focused software called Virtual System Administrator, the ransomware group REvil was able to infect not just those targets but their customers as well, resulting in a wave of devastation.

In the intervening weeks, victims had effectively two choices: pay the ransom to recover their systems or rebuild what was lost through backups. For many individual businesses, REvil set the ransom at roughly $45,000. It attempted to shake down MSPs for as much as $5 million. It also originally set the price of a universal decryptor at $70 million. The group would later come down to $50 million before vanishing, likely in a bid to lay low during a high-tension moment. When they disappeared, they took their payment portal with them. Victims were left stranded, unable to pay even if they wanted to.

Kaseya spokesperson Dana Liedholm confirmed to WIRED that the company obtained a universal decryptor from a “trusted third party,” but she did not elaborate on who provided it. “We have a team actively working with our customers who were affected, and will share more about how we will further make the tool available as those details become available,” Liedholm said in an emailed statement, adding that outreach to victims had already begun, with the help of antivirus firm Emsisoft.

“We are working with Kaseya to support their customer engagement efforts,” said Emsisoft threat analyst Brett Callow in a statement. “We have confirmed the key is effective at unlocking victims and will continue to provide support to Kaseya and its customers.”

The security firm Mandiant has been working with Kaseya on remediation more broadly, but a Mandiant spokeserson referred WIRED back to Liedholm when asked for additional clarity on who provided the decryption key and how many victims still required it.

The ability to free up every device that remains encrypted is undeniably good news. But the number of victims left to help at this point may be a relatively small chunk of the initial wave. “The decryption key is probably helpful to some clients, but it’s likely too little too late,” says Jake Williams, CTO of security firm BreachQuest, which has multiple clients who were hit in the REvil campaign. That’s because anyone who could reconstitute their data, through backups, payment, or otherwise, likely would have done so by now. “The cases where it’s likely to help the most are those where there’s some unique data on an encrypted system that simply can’t be meaningfully reconstituted in any way,” Williams says. “In those cases, we recommended those orgs immediately pay for decryption keys if the data was critical.”

Many of the REvil victims were small and midsize businesses; as MSP customers, they’re definitionally the types who prefer to outsource their IT needs—which in turn means they may be less likely to have reliable backups readily available. Still, there are other ways to rebuild data, even if it means asking clients and vendors to send whatever they’ve got and start over from scratch. “It’s unlikely anyone was holding out hope for a key,” Williams says.

For whatever stragglers do remain, today’s news may herald the end of a weeks-long ordeal. However,

Read More

News Bot

Published by
News Bot

Recent Posts

We are now at ‘Feels like a new signing’ stage of the Newcastle United transfer window

So how has this Newcastle United transfer window been for you? Or maybe the question…

48 mins ago

That time the vault was set too low at the 2000 Sydney Olympics and everybody fell

In honor of Suni Lee winning Olympic gold in the women's all-around gymnastics, here's that…

50 mins ago

Intense video of a paddleboarder saved by his lifejacket and waterproof phone pouch

This is intense footage of a paddleboarder who was saved by his waterproof phone pouch…

50 mins ago

Joint parliamentary committee to scrutinise Online Safety Bill

A parliamentary “super committee” made up of MPs and lords has been established to scrutinise…

50 mins ago

Covid-19: TechUK urges government to tweak self-isolation policy for critical datacentre workers

TechUK wants datacentre operators to be allowed to run their own "test and release" protocols…

50 mins ago

Covid-19: Lockdown lifting slows Amazon’s sales growth during Q2

Amazon’s revenue growth rate hits a post-pandemic speed bump, as the lifting of lockdown restrictions…

50 mins ago