Kaseya, the cloud supplier on the middle of a gargantuan ransomware assault on a whole bunch of companies, introduced this week that it had some excellent news: In some way, it had come into possession of a “common decryptor” to unlock the entire knowledge affected by the latest hack.
“We will affirm that Kaseya obtained the instrument from a 3rd celebration and have groups actively serving to prospects affected by the ransomware to revive their environments, with no experiences of any drawback or points related to the decryptor,” the corporate mentioned in a statement put out Thursday.
The query stays, nonetheless: The place did that decryptor come from?
To assessment, the corporate was hit with ransomware this July four weekend and the Russian-speaking cybercriminal gang REvil subsequently claimed accountability. The assault contaminated not simply Kaseya however its consumer base, which, in flip, contaminated its consumer’s purchasers—in the end affecting some 1,500 companies worldwide.
REvil subsequently demanded $70 million in change for a common decryption key to unlock the entire victims’ knowledge.
Nonetheless, in a shocking twist, the gang then proceeded to disappear from the online. Certainly, lower than two weeks after REvil made its ransom demand, practically all traces of the cybercriminal group vanished from the web, together with its web site and cost portal.
Now, one way or the other, Kaseya says it has managed to get ahold of the common decryption key, although it hasn’t explicitly mentioned how that occurred.
When requested by Gizmodo the place the important thing got here from, a Kaseya spokesperson reiterated that it had come from “a trusted third celebration.” When requested whether or not the corporate paid for the important thing, the spokesperson mentioned that the corporate couldn’t “remark to your query round cost.”
Even when the corporate had doled out the large ransom, it’s not completely clear how or when an change would’ve occurred—since REvil has since “gone darkish.” Nonetheless, there are a pair theories floating round as to what might have occurred.
Some specialists have questioned whether or not the Russian authorities “may need seized the important thing from the criminals and handed it over via intermediaries,” The Guardian writes. This appears believable, since we all know that the Kaseya incident impressed vital political tensions between the White Home and Kremlin. President Joe Biden reportedly had a curt dialog with Vladimir Putin not longer after the Kaseya assault, during which he requested the Russian chief to mainly take accountability for the cybercriminals working inside his nation’s borders.
One other hypothetical situation could possibly be that Kaseya really paid the ransom fairly early within the extortion course of, thus exchanging the cash for the important thing. Which may clarify why REvil has since disappeared. That’s, if it achieved what it got down to do, why not take the cash and run?
All in all, it’s one other considerably mysterious decision to a large-scale ransomware assault—a pattern that appears to be more and more frequent. A equally obscure climax occurred in early June, when the FBI introduced that it had one way or the other managed to trace and seize a majority of the ransom cost paid to the gang DarkSide after its assault on Colonial Pipeline. The feds by no means disclosed their strategies and, much like the state of affairs involving REvil, DarkSide proceeded to “go darkish” across the similar time that the FBI seized its cash.