Nearly three weeks ago, a ransomware attack against a little-known IT software company called Kaseya spiraled into a full-on epidemic, with hackers seizing the computers of as many as 1,500 businesses, including a major Swedish grocery chain. Last week, the notorious group behind the hack disappeared from the internet, leaving victims with no way to pay up and free their systems. But now the situation seems close to finally being resolved, thanks to the surprise appearance on Thursday of a universal decryption tool.
The July 2 hack was about as bad as it gets. Kaseya provides IT management software that’s popular among so-called managed service providers (MSPs), which are companies that offer IT infrastructure to companies that would rather not deal with it themselves. By exploiting a bug in MSP-focused software called Virtual System Administrator, the ransomware group REvil was able to infect not just those targets but their customers as well, resulting in a wave of devastation.
In the intervening weeks, victims had effectively two choices: pay the ransom to recover their systems or rebuild what was lost through backups. For many individual businesses, REvil set the ransom at roughly $45,000. It attempted to shake down MSPs for as much as $5 million. It also originally set the price of a universal decryptor at $70 million. The group would later come down to $50 million before vanishing, likely in a bid to lay low during a high-tension moment. When they disappeared, they took their payment portal with them. Victims were left stranded, unable to pay even if they wanted to.
Kaseya spokesperson Dana Liedholm confirmed to WIRED that the company obtained a universal decryptor from a “trusted third party,” but she did not elaborate on who provided it. “We have a team actively working with our customers who were affected, and will share more about how we will further make the tool available as those details become available,” Liedholm said in an emailed statement, adding that outreach to victims had already begun, with the help of antivirus firm Emsisoft.
“We are working with Kaseya to support their customer engagement efforts,” said Emsisoft threat analyst Brett Callow in a statement. “We have confirmed the key is effective at unlocking victims and will continue to provide support to Kaseya and its customers."
The security firm Mandiant has been working with Kaseya on remediation more broadly, but a Mandiant spokeserson referred WIRED back to Liedholm when asked for additional clarity on who provided the decryption key and how many victims still required it.
The ability to free up every device that remains encrypted is undeniably good news. But the number of victims left to help at this point may be a relatively small chunk of the initial wave. “The decryption key is probably helpful to some clients, but it's likely too little too late,” says Jake Williams, CTO of security firm BreachQuest, which has multiple clients who were hit in the REvil campaign. That’s because anyone who could reconstitute their data, through backups, payment, or otherwise, likely would have done so by now. “The cases where it's likely to help the most are those where there's some unique data on an encrypted system that simply can't be meaningfully reconstituted in any way,” Williams says. “In those cases, we recommended those orgs immediately pay for decryption keys if the data was critical.”
Many of the REvil victims were small and midsize businesses; as MSP customers, they’re definitionally the types who prefer to outsource their IT needs—which in turn means they may be less likely to have reliable backups readily available. Still, there are other ways to rebuild data, even if it means asking clients and vendors to send whatever they’ve got and start over from scratch. “It's unlikely anyone was holding out hope for a key,” Williams says.
For whatever stragglers do remain, today’s news may herald the end of a weeks-long ordeal. However, it doesn’t ease broader concerns about ransomware threats or what the Kaseya campaign represented. Groups like Darkside and REvil and their affiliates—who give the main operators a cut of the proceeds in exchange for access to the malware—have become increasingly emboldened in recent months in both the breadth and depth of their attacks. Before Kaseya, REvil shut down the food supply giant JBS. And before JBS, Darkside disrupted Colonial Pipeline, cutting off a large portion of the East Coast’s fuel supply.
Like REvil, Darkside vanished in the face of mounting legal and political pressure. But the people responsible for those attacks haven’t been identified or indicted, much less arrested. Security researchers broadly agree that it’s only a matter of time before they reemerge, likely under a different name but with the same cutthroat tactics. The latest ransomware scare appears to be resolved. The next one may already be underway.