leowolfert - Fotolia

Kaseya obtained ransomware decryptor from 'trusted third party'

Kaseya told SearchSecurity that for 'confidentiality reasons' it could only confirm that the ransomware decryptor came from a trusted third party and that it was helping customers.

Kaseya has obtained the decryption key for the massive ransomware attack it suffered earlier this month, but the company won't say how other than that it came from a "trusted third party."

The IT management software vendor disclosed a supply-chain attack on July 2 that compromised approximately 60 of its managed service provider (MSP) customers and up to 1,500 MSP clients. Ransomware gang REvil had exploited zero-day vulnerabilities in Kaseya's endpoint management and network monitoring product VSA, and used said exploits to send malicious updates that facilitated the enormous ransomware attack.

NBC News reporter Kevin Collier tweeted Thursday that Kaseya had obtained the decryptor key "from a trusted third party" the day before -- 19 days after the initial attack -- and was working with customers.

A Kaseya spokesperson confirmed in an email to SearchSecurity that Kaseya had obtained the key from an unnamed third party and that "after having it validated, we immediately began working with our customers." The spokesperson declined to answer questions about whether the receipt of the key involved a ransom payment made by Kaseya or a third party working on their behalf, nor whether they could share any additional information on the third party; the spokesperson cited "confidentiality reasons."

UPDATE 7/26: Kaseya said on Monday that it did not pay a ransom to obtain the REvil ransomware decryptor. "While each company must make its own decision on whether to pay the ransom, Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack and we have not wavered from that commitment," the company said in an update. "As such, we are confirming in no uncertain terms that Kaseya did not pay a ransom -- either directly or indirectly through a third party -- to obtain the decryptor." While the company did not provide further details on how it obtained the decryptor, Kaseya said the tool has been "100% effective" at unlocking files that were infected during the recent ransomware attacks.

REvil had originally demanded a $70 million ransom for a one-time, universal decryptor for all impacted victims.

Following the attack, Kaseya struggled to get VSA back online. In part due to the recovery process and in part to harden the product's security before relaunch, the vendor missed its planned July 7 window for redeployment and ultimately rereleased VSA, along with on-premises and SaaS patches, on July 11. Kaseya CEO Fred Voccola called the delay "probably the hardest decision I've had to make in my career."

A complete history of updates is available on Kaseya's attack information page.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Next Steps

Accenture responds to LockBit ransomware attack

New ransomware crew hammers on PrintNightmare bugs

Dig Deeper on Security operations and management

Networking
CIO
Enterprise Desktop
Cloud Computing
ComputerWeekly.com
Close