Kaseya, an IT management software firm, says that it’s obtained the REvil universal decryption key through a “trusted third party.” This should help Kaseya recover data from a July 4th REvil ransomware attack that affected over 1,500 businesses.
REvil is one of several ransomware groups operating out of Eastern Europe. It carried out a supply chain ransomware attack on Kaseya by exploiting a vulnerability in the company’s VSA product—a platform that Kaseya uses to distribute software to its customers. Kaseya claims that it was days away from patching this vulnerability when the hack occurred.
In the end, REvil’s ransomware affected 60 of Kaseya’s customers and over 1,500 downstream networks. The ransomware group demanded $70 million in exchange for a universal decrypter tool, though til this point, Kaseya has avoided such a deal.
So how did Kaseya get the REvil universal decryption key? It’s possible, though unlikely, that the IT firm forked over $70 million to the REvil group. A more plausible explanation is that REvil or a third party, possibly the White House or Kremlin, handed the key to Kaseya for free.
Of course, this is just speculation. But several of REvil’s dark web sites disappeared last week following a phone call between President Biden and Vladimir Putin. In a press conference on Friday, July 9th, the president claimed that he “made it very clear to [Putin] that the United States expects, when a ransomware operation is coming from their soil even though it’s not, not, sponsored by the state, that we expect them to act.”
The president also confirmed that there would be consequences for future attacks, and that the U.S. is justified in targeting servers that host ransomware operations.
Regardless of how Kaseya got its hands on the REvil decrypter, the software firm can now unlock data that businesses lost in the July 4th ransomware attack (and other REvil attacks). Hopefully, this breakthrough will reduce the number of ransomware attacks that occur in the future.