Kaseya, the Miami-based company that was at the center of a ransomware attack that targeted hundreds of businesses over the weekend of July 4, said on Thursday it had received a key that could help customers. customers unlock access to their data and networks.
The mystery is how the company obtained the key. Kaseya only said that it obtained the key from a “third party” on Wednesday and that it was “effective in unlocking the victim”.
The development is among the latest mysteries surrounding the Kaseya attack, in which a Russia-based ransomware group called REvil, short for Ransomware Evil, infiltrated Kaseya and used it as a pipe. led to blackmail hundreds of Kaseya customers, including grocery store chains and pharmacies in Sweden and two towns in Maryland, Leonardtown and North Beach.
The attack kicked off emergency meetings at the White House and prompted President Biden to call Russian President Vladimir Putin and ask him to address ransomware attacks coming from within his borders.
Within days of the call, REvil was in the dark. Gone are REvil’s “Happy Blog”, where it publishes emails and files stolen from victims of REvil ransomware. Its payment platform is gone. Its most notorious members suddenly disappeared from the cybercrime forums.
It’s unclear whether REvil went offline on its own initiative or at the behest of the Kremlin, or whether Pentagon hackers at Cyber Command played any role. But it was a loss for the victims of Kaseya, who were still in the process of negotiating to get their data back when their blackmailers suddenly disappeared.
Kaseya’s announcement that they’ve found the key is a welcome turn of events. Often, when ransomware groups hand over decryption tools to victims who have met their extortion needs, the tools are slow or ineffective. But in this case, Brett Callow, a threat researcher at EmsiSoft, a security company working with Kaseya, confirmed the decrypter “works”.
José Maria León Cabrera and Julie Turkewitz contribution report.