Kaseya, the Miami-based firm at the middle of a ransomware assault on tons of of companies over the Fourth of July vacation weekend, stated on Thursday that it had obtained a key that might assist prospects unlock entry to their knowledge and networks.
The thriller is how the firm obtained the key. Kaseya stated solely that it had obtained the key from a “third party” on Wednesday and that it was “effective at unlocking victims.”
The growth is amongst the newest mysteries surrounding the Kaseya assault, by which a Russia-based ransomware group referred to as REvil, quick for Ransomware Evil, breached Kaseya and used it as a conduit to extort tons of of Kaseya prospects, together with grocery and pharmacy chains in Sweden and two cities in Maryland, Leonardtown and North Beach.
The assault set off emergency conferences at the White House and prompted President Biden to name President Vladimir Putin of Russia and demand that he handle the ransomware assaults stemming from inside his borders.
Within days of the name, REvil went dark. Gone was REvil’s “Happy Blog,” where it published emails and files stolen from REvil’s ransomware victims. Gone was its payment platform. Its most notorious members suddenly disappeared from cybercrime forums.
It is unclear whether REvil took itself offline on its own volition or at the command of the Kremlin, or whether the Pentagon’s hackers at Cyber Command had played any role. But it was a loss for Kaseya’s victims, who were still in the process of negotiating to get data back when their extortionists suddenly vanished.
Kaseya’s announcement that it had recovered the key was a welcome twist. Often when ransomware groups do turn over decryption tools to victims who have met their extortion demands, the tools are slow or ineffective. But in this case, Brett Callow, a threat researcher at EmsiSoft, a security firm that is working with Kaseya, confirmed the decryptor was “effective.”
José María León Cabrera and Julie Turkewitz contributed reporting.