Kaseya denies ransomware payment because it hails ‘100% effective’decryption tool
Kaseya has denied rumors so it paid a ransom to the REvil cybercrime gang because it continues to roll out a decryptor to victims of a current ransomware attack.
The software supply chain attack, which began on July 2, is believed to own affected up to 1,500 organizations via the hack of IT management platform Kaseya VSA.
Kaseya revealed on July 22 that it had obtained a decryption tool from the “third party” and was attempting to restore the environments of impacted organizations with the help of anti-malware experts Emsisoft.
Speculation
The update sparked speculation regarding the identity of the unnamed third party, with Allan Liska of Recorded Future’s CSIRT team positing a disgruntled REvil affiliate, world market url the Russian government, or that Kaseya themselves had paid the ransom.
The idea that the universal decryptor key became available due to police force action was strengthened on July 13 when the dark web domains related to REvil abruptly went offline.
However, some experts also said it had been likely that this was a prelude to REvil, whose other notable scalps include Travelex and meat supplier JBS, rebranding itself in a bid to dodge law enforcement.
Non-disclosure agreement
The cybercrime outfit was believed to possess initially demanded a payment of $70 million from Kaseya, before lowering the asking price to $50 million.
Kaseya, which includes reportedly granted organizations usage of the decryptor contingent on signing a non-disclosure agreement, addressed rumors that it had paid a ransom in a record yesterday (July 26):
Recent reports have suggested which our continued silence on whether Kaseya paid the ransom may encourage additional ransomware attacks, but nothing could possibly be further from our goal. While each company must make its own decision on whether to pay for the ransom, Kaseya decided after consultation with experts not to negotiate with the criminals who perpetrated this attack and we’ve not wavered from that commitment. Therefore, we are confirming in no uncertain terms that Kaseya did not pay a ransom – either directly or indirectly through a 3rd party – to acquire the decryptor.
Kaseya stated that “the decryption tool has proven 100% good at decrypting files that have been fully encrypted in the attack&rdquo ;.
It added: “We continue to offer the decryptor to customers that request it, and we encourage all our customers whose data may have been encrypted throughout the attack to touch base to your contacts at Kaseya&rdquo ;.
More zero-days
A week ago, meanwhile, security researchers from the organization that unearthed the zero-day Kaseya vulnerabilities exploited by REvil disclosed a trio of additional zero-day flaws in another Kaseya product.
The Dutch Institute for Vulnerability Disclosure (DIVD) advised users of cloud-based Kaseya Unitrends, which is available being an add-on for Kaseya VSA, never to expose the service to the web until a patch was released.
Also a week ago, Huntress Labs released a blog post speculating on why the compromise of 60 upstream, managed supplier customers with a fake software update hadn’t had a lot more calamitous consequences.
Dismissing the proven fact that Kaseya’s system shutdown was the principal reason, security researcher John Hammond pondered, among other potential reasons, whether threat actors had learned “from previous incidents (like Colonial Pipeline) that a much bigger impact might invite government intervention?”