About 19 days after the initial REvil ransomware attack, Kaseya has now acquired a decryptor from a third party and are now distributing it to affected customers.
In an update issued this Wednesday, Kaseya informed users that they have “obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor.”
The company is also working with Emsisoft to support its customer engagement efforts, and Emsisoft has confirmed that the key effectively unlocks the victim’s files.
Better late than never
Since the initial ransomware attack on their VSA servers on July 3, Kaseya has been actively working on fixing the vulnerabilities to prevent further incursions. Over 50 Kaseya customers were impacted, and as many of them were managed service providers or MSPs, over 1500 organisations were infected with the ransomware.
It’s still unclear whether or not Kaseya has secured this key or decryptor from REvil or someone else as the update didn’t reveal their source, but it’s a sigh of relief for all impacted customers for sure. The need to keep patching the vulnerability, however, is still there as unpatched servers can still be impacted.
The gang behind the attack, REvil, had made headlines after mysteriously disappearing and taking down its servers and websites two days after the Biden administration called on Russia to get ransomware gangs like this operating on Russian soil under control.
The premise was that REvil themselves had no idea their attack would be so effective, which led to them changing the ransom amount significantly to $70 million, which might be the largest ransom ever demanded in a cyber attack.
The gang had also changed their stance from providing a universal decryptor to an extension based decryptor. REvil demanded somewhere between $40,000 to $45.000 per encrypted file and claimed to fix the victim’s files in under an hour.