Following on from devastating ransomware attacks that affected users in over 22 countries at the start of July, software provider Kaseya has obtained a master decryptor key for the REvil ransomware.
The ransomware attacks exploited now-patched zero-day vulnerabilities in the Kaseya Virtual System/Server Administrator (VSA) platform which affected those customers who were using the on-premises version of the platform. In addition to the 60 direct customers impacted, around 1,500 downstream customers were also affected, as the software is used to remotely monitor and manage software and network infrastructure.
It is not yet clear if the ransom set by the REvil cyber criminal gang of £50 million, was paid or not, as Kaseya announced via an advisory that it had obtained the decryptor “through a third party.” The next step is Kaseya working with customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor. Another strange part of the story is that REvil have gone dark since 13th July, as its sites disappeared and its representatives were banned on prominent underground forums.
Even though the master decryption key has been acquired, the attack isn’t necessarily over – REvil is known for its double-extortion attacks, where company data is stolen in addition to being hit with ransomware. The group may still have copies of data stolen from victims and they could use this to extort the victims even further or auction off the data.
The remediation with customers will be tricky though, as significant damage has been done already in the way of downtime and recovery costs, both currently and in the future. Even with the data decrypted, there are significant costs associated with restoring devices and data. Given the tendency of these criminal operators to leave lingering backdoor entrances in affected businesses, those being supported by Kaseya will need to rebuild compromised infrastructure into a clean, trustworthy state.
Neuways advises businesses to ensure that their data is being backed up consistently through a comprehensive Business Continuity and Disaster Recovery plan. BCDR plans ensure that if your business was affected by a ransomware attack such as that carried out by REvil, that you would be able to continue operating, without any downtime that could cost thousands of pounds, if not more.