UPDATE: July 27, 2021: Kaseya did not pay a ransom — either directly or indirectly — after it obtained a copy of a universal decryptor last week following the ransomware attack by REvil, according to a statement Monday.
Kaseya has been helping customers who request it regain access to their data, the company said. "The decryption tool has proven 100% effective at decrypting files that were fully encrypted in the attack."
After consulting with experts it decided not to negotiate with the criminals behind the attack, Kaseya said. The company last week obtained the decryptor from a third party, which it did not identify. The Biden administration nor federal law enforcement officials have commented on the developments.
Kaseya, a Miami-based IT services provider, confirmed that it received a universal decryptor key from a trusted third-party source on Wednesday, weeks after Russia-linked REvil targeted the company in a ransomware attack over the Independence Day weekend.
The company is actively working with affected customers to restore environments after the attacks, and engaged New Zealand-based security firm Emsisoft to help with those efforts. Emsisoft confirmed the decryptor key is helping organizations unlock affected systems.
Kaseya officials did not comment on whether it received any government help to obtain the key or whether it paid a ransom in exchange. REvil originally sought a record $70 million to end the campaign, but later reduced the ask to $50 million. White House and FBI officials did not return requests for comment.
The release of the decryptor may finally bring to an end one of the most brazen cyber campaigns in history. REvil, the threat actor behind the attack, exploited multiple zero-day vulnerabilities in Kaseya's VSA platform that the company had been actively working to mitigate with outside researchers.
The attack against Kaseya's VSA remote monitoring platform impacted less than 60 managed service providers (MSPs) and about 1,500 end customers worldwide, mostly small- to medium-sized organizations, including private businesses, schools, retailers and local government offices.
"We are working with Kaseya to support their customer engagement efforts," Emsisoft said in a statement provided by Brett Callow, threat analyst. "We have confirmed the key is effective at unlocking victims and will continue to provide support to Kaseya and its customers."
The timing of the release is a key factor here, as REvil has been offline for more than a week, said John Hammond, senior security researcher at Huntress.
President Joe Biden spoke to Russia President Vladimir Putin earlier this month following the Kaseya attack with a warning that the U.S. would defend itself against malicious cyber activity that was tolerated by nation states. The administration had been working to encourage Russia to crack down on any criminal cyber activity operating within its borders.
"We could speculate and wonder about when this universal decryptor was acquired, if it came from REvil themselves or a law enforcement entity, or whether there were ongoing negotiations ... but the perspective of the victim MSPs is the most important aspect here," Hammond said via email.
Kaseya officials had been working around the clock with federal officials, forensic security experts from Mandiant and other experts for weeks to investigate how the attack took place and to safely restore service for its on-premises and SaaS customers. Kaseya released additional patches earlier this week to deal with performance issues related to the security updates.
Most MSPs will likely have restored most of their capabilities via the patches, according to MJ Shoer, senior vice president, executive director of CompTIA's Information Sharing and Analysis Organization (ISAO).
"The decryptor will be of value to any MSP who still has encrypted customers that they have not yet been able to restore," Shoer said via email. "This will be a faster restoration option than rebuilding systems, however an MSP or end customer may still opt for having their systems completely rebuilt to ensure there are no remnants from the attack left behind."