Kaseya obtains common decryptor for REvil ransomware victims

Kaseya been given a universal decryptor that lets victims of the July 2nd REvil ransomware attack to recuperate their documents for absolutely free.

On July 2nd, the REvil ransomware procedure launched a massive attack by exploiting a zero-working day vulnerability in the Kaseya VSA remote management software to encrypt around sixty managed company companies and an estimated 1,500 enterprises.

Just after the assault, the danger actors demanded $70 million for a universal decryptor, $5 million for MSPs, and $40,000 for every single extension encrypted on a victim’s network.

Shortly after, the REvil ransomware gang mysteriously disappeared, and the risk actors shut down their payment websites and infrastructure.

Even though most victims ended up not shelling out, the gang’s disappearance prevented companies who may perhaps have required to buy a decryptor not able to do so.

Now, Kaseya has stated that they acquired a common decryptor for the ransomware attack from a “trustworthy 3rd occasion” and are now distributing it to impacted prospects.

“We can confirm we obtained a decryptor from a reliable 3rd get together but just cannot share any more about the supply,” Kaseya’s SVP Company Marketing Dana Liedholm told BleepingComputer.

“We had the instrument validated by an further third get together and have started releasing it to our buyers affected.”

When Kaseya would not share information about the key’s resource, they confirmed with BleepingComputer that it is the common decryption important for the entire attack, permitting all MSPs and their customers to decrypt documents for free.

When requested no matter if they compensated a ransom to receive a decryptor, Kaseya told BleepingComputer that they “cannot verify or deny that.”

Emsisoft CTO Fabian Wosar told BleepingComputer that they had been the third get together who validated the key and will keep on to aid Kaseya in their restoration efforts. 

“We are working with Kaseya to assist their purchaser engagement attempts. We have confirmed the critical is successful at unlocking victims and will carry on to present aid to Kaseya and its shoppers,” Wosar informed BleepingComputer.

It is unclear what brought about the REvil ransomware procedure to shut down and go into hiding, and multiple intercontinental regulation enforcement agencies have advised BleepingComputer that they had been not included in their disappearance.

Immediately after the attack on JBS and Kaseya, the White House’s has pressured the Russian government to do a little something about the ransomware gangs thought to be running inside Russia.

It is thought that the Russian government instructed the REvil ransomware gang to shut down and vanish to clearly show that they were being functioning with the Usa.

As the decryptor was attained following the REvil gang’s disappearance, it is possible that Russia acquired it directly from the ransomware gang and shared it with US law enforcement as a gesture of goodwill.

When we asked the FBI if they have been concerned in the procurement of the decryption essential, we have been instructed that they do not comment on ongoing investigations.

“The DOJ and FBI have an ongoing felony investigation into the felony company driving the REvil/Sodinokibi ransomware variant and the actors liable for the Kaseya ransomware assault specifically,” the FBI told BleepingComputer.

“Per DOJ coverage, we cannot remark more on this ongoing investigation.”

REvil’s disappearance is very likely not the conclusion of the gang’s on the web pursuits.

In the previous the GandCrab ransomware procedure shut down and rebranded as REvil, and it is expected that REvil will resurface again as a new ransomware operation.

Update 7/22/21 9:42 PM EST: Included Emsisoft and FBI statements.