The software company at the center of a huge ransomware attack this month has obtained a universal key to unlock files of the hundreds of businesses and public organizations crippled by the hack.
Nineteen days after the initial attack over the Fourth of July weekend, the Florida-based IT management provider, Kaseya, has received the universal key that can unlock the scrambled data of all the attack’s victims, bringing the worst of the fallout to a close.
The so-called supply-chain attack on Kaseya is being labeled the worst ransomware attack to date because it spread through software that companies, known as managed service providers, use to administer multiple customer networks, delivering software updates and security patches.
It affected 800 to 2,000 businesses and organizations – including supermarkets in Sweden and schools in New Zealand whose systems were frozen for days.
News of the key comes after the Russia-linked criminal syndicate that supplied the malware, REvil, disappeared from the internet on 13 July.
The group had asked for $50m to $70m for a master key that would unlock all infections. It is not clear how many victims may have paid ransoms before REvil went dark.
A Kaseya spokesperson, Dana Liedholm, would not say on Thursday how the key had been obtained or whether a ransom had been paid. She said only that it had come from a “trusted third party” and that Kaseya was distributing it to all victims. The cybersecurity firm Emsisoft confirmed that the key worked and was providing support.
Ransomware analysts offered several possible explanations for why the master key has now appeared. It is possible Kaseya, a government entity, or a collective of victims paid the ransom. The Kremlin in Russia also might have seized the key from the criminals and handed it over through intermediaries, experts said.
Hackers might also have handed over the decryptor for the Kaseya attack without payment – a move that would not be unprecedented for ransomware criminals.
By now, many victims will have rebuilt their networks or restored them from backups. But some, Liedholm said, “have been in complete lockdown”.
Liedholm had no estimate of the cost of the damage and would not comment on whether any lawsuits had been filed against the company.
Obtaining the key was a major step toward recovery from the hack, but Kaseya would probably be cleaning up the damage for some time, said Tim Wade, the technical director at the cybersecurity firm Vectra.
“From a distance, the emergence of a master key may appear more comforting than it should,” he said. “The value of accelerating the restoration of data and services shouldn’t be trivialized, but it won’t exactly erase the already extensive cost of these attacks.
“It may have some positive outcomes but as they say – it isn’t over ’til it’s over,” he added.
Joe Biden called his Russian counterpart, Vladimir Putin, after the hack to press him to stop providing safe haven for cybercriminals whose costly attacks the US government deems a national security threat. He has threatened to make Russia pay a price for failing to crack down but has not specified what measure the US may take.