Kaseya Can Now Unlock Over 1K Businesses That Had Data Locked By REvil Ransomware

Kaseya, the Florida-based company whose software was compromised in a devastating REvil ransomeware attack in July, received a universal key that decrypts all of the 1,000-plus companies and organizations targeted in the attack.

A spokeswoman for Kaseya, Dana Liedholm, did not say how the key was acquired or whether a ransom was paid, only that it came from a "trusted third party" and the company would share it with all victims.

Ransomware analysts said possible explanations for how the master key had appeared, including that Keseya paid, a government paid or victims pooled funds.

They said the Krelim could also have seized the key from criminals and handed it over through intermediaries, or maybe the attack's principle protagonist didn't get paid by the gang whose ransomeware was used.

For more reporting from the Associated Press, continue below:

Ransomware
A Florida-based company whose software was compromised in a devastating REvil ransomeware attack in July recently received a universal key to unlock data. Deputy U.S. Attorney General Lisa Monaco arrives for a press conference with FBI Deputy Director Paul Abbate on June 7 at the Justice Department in Washington, D.C. Jonathan Ernst-Pool/Getty Images

The Russia-linked criminal gang whose malware was used in the attack, REvil, disappeared from the internet on July 13. That likely deprived the affiliate that leased REvil's malware of potential income. Affiliates typically earn the lion's share of ransoms. While ransoms as low as $45,000 were demanded from smaller victims, the gang was believed to have been overwhelmed by more ransom negotiations than it could manage. It decided to ask $50 million to $70 million for a master key that would unlock all infections.

By now, many victims will have rebuilt their networks or restored them from backups.

It's a mixed bag, Liedholm said, because some "have been in complete lockdown." She had no estimate of the cost of the damage and would not comment on whether any lawsuits may have been filed against Kaseya. It is not clear how many victims may have paid ransoms before REvil went dark.

The so-called supply-chain attack of Kaseya was the worst ransomware attack to date because it spread through software that companies known as managed service providers use to administer multiple customer networks, delivering software updates and security patches.

President Joe Biden called his Russian counterpart, Vladimir Putin, afterward to press him to stop providing safe haven for cybercriminals whose costly attacks the U.S. government deems a national security threat. He has threatened to make Russia pay a price for failing to crack down but has not specified what measure the U.S. may take.

If the universal decryptor for the Kaseya attack was turned over without payment, it would not be the first time ransomware criminals have done that. It happened after the Conti gang hobbled Ireland's national healthcare service in May and the Russian Embassy in Dublin offered "to help with the investigation."