Nearly three weeks ago, a ransomware attack against a little-known IT software company called Kaseya spiraled into a full-on epidemic, with hackers seizing the computers as many as 1,500 businesses, including a major Swedish grocery chain. Last week, the notorious group behind the hack disappeared from the internet, leaving victims with no way to pay up and free their systems. But now the situation seemed close to finally being resolved, thanks to the surprise appearance on Thursday of a universal decryption tool.
The July 2 hack was about as bad as it gets. Kaseya provides IT management software that’s popular among so-called managed service providers, which are companies that offer IT infrastructure to companies that would rather not deal with it themselves. By exploiting a bug in MSP-focused software called Virtual System Administrator, the ransomware group REvil was able to infect not just those targets but their customers as well, resulting in a wave of devastation.
In the intervening weeks, victims had effectively two choices: pay the ransom to recover their systems, or rebuild what was lost through backups. For many individual businesses, REvil set the ransom at roughly $45,000. It attempted to shake down MSPs for as much as $5 million. It also originally set the price of a universal decryptor at $70 million. The group would later come down to $50 million before vanishing, likely in a bid to lay low during a high-tension moment. When they disappeared, they took their payment portal with them. Victims were left stranded, unable to pay even if they wanted to.
Kaseya spokesperson Dana Liedholm confirmed to WIRED that the company obtained a universal decryptor from a “trusted third party,” but did not elaborate on who provided it. “We have a team actively working with our customers who were affected, and will share more about how we will further make the tool available as those details become available,” Liedholm said in an emailed statement, adding that outreach to victims had already begun, with the help of antivirus firm Emsisoft.
“We are working with Kaseya to support their customer engagement efforts,” said Emsisoft threat analyst Brett Callow in a statement. “We have confirmed the key is effective at unlocking victims and will continue to provide support to Kaseya and its customers.”
Security firm Mandiant has been working with Kaseya on remediation more broadly, but a Mandiant spokeserson referred WIRED back to Liedholm when asked for any additional clarity around who provided the decryption key and how many victims still required it.
The ability free up every device that remains encrypted is undeniably good news. But the number of victims left to help at this point may be a relatively small chunk of the initial wave. “The decryption key is probably helpful to some clients, but is likely too little too late,” says Jake Williams, CTO of security firm BreachQuest, which has multiple clients who were hit in the REvil campaign. That’s because anyone who could reconstitute their data, through backups, payment, or otherwise, likely would have done so by now. “The cases where it’s likely to help the most are those where there’s some unique data on an encrypted system that simply can’t be meaningfully reconstituted in any way,” Williams says. “In those cases, we recommended those orgs immediately pay for decryption keys if the data was critical.”
Many of the REvil victims were small and mid-sized businesses; as MSP customers, they’re definitionally the types who prefer to outsource their IT needs, which in turn means they may be less likely to have reliable backups readily available. Still, there are other ways to rebuild data, even if it means asking clients and vendors to send whatever they’ve got and start over from scratch. “It’s unlikely anyone was holding out hope for a key,” Williams says.