The American ICT service provider Kaseya received a decryption key or decryptor from an unknown party last Wednesday. This key can unlock files locked by a REvil ransomware attack earlier this month. The company will use the key received to help victims restart their businesses.
At the beginning of this month, Russia-affiliated hackers carried out a so-called supply chain attack on hundreds of companies worldwide. The attackers – members of the hacker group REvil – had discovered a zero-day exploit in the Virtual System Administrator (VSA) software. This is the program that customers use to remotely manage customer computer systems and servers. This vulnerability allowed hackers to install ransomware undetected. According to estimates, this happened at 800 to 1,500 companies, including several Dutch parties.
Security specialists and ethical hackers from our country almost prevented the attack. In April, they found a number of critical security vulnerabilities in the VSA software. They contacted Kaseya and together they tried to fix the vulnerabilities. But before Kaseya had a chance to roll out a patch, the chain attack happened. “If we had had a little more time, we would have succeeded,” said Wietse Boonstra and Frank Breedijk of the Dutch Institute for Vulnerability Disclosure (DIVD) about the incident.
A few days after the supply chain attack started, REvil made a statement. On its website on the dark web, the group posted a message that they were selling a universal decryptor that would fix all problems “within an hour.” However, it did come with a hefty price tag.
“If anyone wants to negotiate a universal decryptor, our price is $70 million in bitcoin. Then we publish a universal decryption key, which releases all files of our victims. Everyone can then recover from the attack within an hour. Are you interested in a deal? Please contact us using the instructions in the readme file,” the Russian hacker group wrote.
The ransom was never paid. And it looks like that’s not going to happen. Kaseya received a decryptor from an unknown party last Wednesday. This can disable the REvil ransomware.
Cybersecurity company Emisoft helps Kaseya roll out the decryptor to affected customers. Emisoft has tested the key and confirms that it will release files encrypted by REvil’s ransomware. Kaseya promises to contact customers who have been victims of the REvil ransomware.
Where REvil’s hackers currently are is a question that concerns several security experts and investigative services. In mid – July, from one moment to the next, the Russian hackers were nowhere to be found online. REvil’s websites spontaneously went black on both the dark web and the regular internet. The telephone helpdesk was also suddenly no longer available and their main spokesperson was banned from the popular hacker forum XSS.
A Kremlin spokesman told the Russian state news agency TASS that the Russian government had nothing to do with this. “I don’t know where the group is or where the hackers went,” he said. Rumour has it that REvil got too hot underfoot, stopped all operations immediately and is trying to erase all digital traces.
Another theory suggests that the US government has ordered its security forces to take REvil’s infrastructure offline. President Biden and his Russian counterpart Vladimir Putin met several times this month about the cyberattacks hitting the US lately and being carried out from Russian soil. “I made it very clear to him that the US expects that when a ransomware operation is carried out from its territory, even if the state does not order it, we expect them to act if we give them enough information to act against whom that is, ” Biden said of his talks with Putin.
White House press secretary Jen Psaki could not say whether the US government has anything to do with REvil’s disappearance.
Catch up on more articles here
Follow us on Twitter here