Kaseya, the IT management software company that was leveraged by the REvil ransomware gang to infect around 1,500 organizations with data encrypting malware, says it has obtained a universal decryption key for victims of the July 4 weekend hack.
Now, organizations hit by this attack can recover their data without having to rebuild their systems from scratch.
The news comes nearly three weeks after the company first became aware of an attack against its VSA product and nine days after REvil websites and infrastructure mysteriously disappeared from the internet. Media reports suggest U.S. President Joe Biden’s pressure of Russian President Vladimir Putin to shut down ransomware groups could have played a role in both REvil’s disappearance and the emergence of the universal key.
On its website, Kaseya said only that it obtained the tool from a third party and is actively helping customers restore their environments. There have been no issues with the decryptor.
The company said it is also working with cybersecurity solutions provider Emsisoft to help customers restore their operations.
“We remain committed to ensuring the highest levels of safety for our customers and will continue to update here as more details become available,” the company posted in a long thread of updates on this incident. “Customers who have been impacted by the ransomware will be contacted by Kaseya representatives.”
Read Next: Ransomware Is Now More Than Just Data Encryption
This is welcome news for organizations struggling to restore their data, even for companies that paid the ransom for decryption keys. However, some organizations reported that those keys didn’t work.
Last week, Kaseya patched vulnerabilities in its VSA software that ransomware actors leveraged the massive attack that used managed service providers to encrypt the data of about 1,500 business customers.
The patch included in the VSA 9.5.7a release for on-premises versions of Kaseya’s remote monitoring solution was published Sunday afternoon, and all the company’s software-as-a-service (SaaS) customers were back online by early this morning, according to updates on the software company’s website.
Since then, the company released an update that remediate some issues caused by the initial security patch that addressed those vulnerabilities.
According to BleepingComputer, seven vulnerabilities were discovered by the Dutch Institute for Vulnerability Disclosure in April, and Kaseya had already patched most of the VSA SaaS service, but had not yet completed the patches for on-premises versions.
That’s where the REvil ransomware gang capitalized, leveraging those vulnerabilities on July 2 against about 60 MSPs using on-premises VSA servers for their customers.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply