Kaseya obtains common decryptor for REvil ransomware victims

Kaseya obtained a universal decryptor that makes it possible for victims of the July 2nd REvil ransomware assault to get better their data files for free of charge.

On July 2nd, the REvil ransomware operation released a huge assault by exploiting a zero-working day vulnerability in the Kaseya VSA distant management application to encrypt about sixty managed service providers and an approximated 1,500 businesses.

Soon after the attack, the danger actors demanded $70 million for a universal decryptor, $5 million for MSPs, and $40,000 for each individual extension encrypted on a victim’s network.

Revil's $70 million ransom demand
Revil’s $70 million ransom desire

Soon after, the REvil ransomware gang mysteriously disappeared, and the risk actors shut down their payment sites and infrastructure.

While most victims have been not having to pay, the gang’s disappearance prevented firms who might have desired to order a decryptor not able to do so.

These days, Kaseya has stated that they been given a common decryptor for the ransomware assault from a “trusted 3rd celebration” and are now distributing it to impacted prospects.

“We can affirm we received a decryptor from a trustworthy third party but can’t share any longer about the supply,” Kaseya’s SVP Company Marketing Dana Liedholm told BleepingComputer.

“We had the instrument validated by an extra 3rd party and have begun releasing it to our prospects influenced.”

Although Kaseya would not share facts about the key’s source, they verified with BleepingComputer that it is the common decryption essential for the overall assault, allowing all MSPs and their customers to decrypt files for no cost.

When questioned no matter if they compensated a ransom to receive a decryptor, Kaseya told BleepingComputer that they “just cannot verify or deny that.”

Emsisoft CTO Fabian Wosar instructed BleepingComputer that they have been the 3rd bash who validated the key and will go on to assist Kaseya in their restoration attempts. 

“We are doing the job with Kaseya to assist their customer engagement efforts. We have verified the key is powerful at unlocking victims and will continue on to offer assistance to Kaseya and its clients,” Wosar explained to BleepingComputer.

It is unclear what caused the REvil ransomware operation to shut down and go into hiding, and multiple international legislation enforcement companies have explained to BleepingComputer that they have been not involved in their disappearance.

Right after the attack on JBS and Kaseya, the White House’s has pressured the Russian government to do anything about the ransomware gangs believed to be functioning inside of Russia.

It is thought that the Russian governing administration told the REvil ransomware gang to shut down and disappear to display that they were being operating with the Usa.

As the decryptor was acquired after the REvil gang’s disappearance, it is probable that Russia gained it immediately from the ransomware gang and shared it with US law enforcement as a gesture of goodwill.

When we questioned the FBI if they ended up involved in the procurement of the decryption key, we were being advised that they do not comment on ongoing investigations.

“The DOJ and FBI have an ongoing legal investigation into the felony business powering the REvil/Sodinokibi ransomware variant and the actors liable for the Kaseya ransomware attack especially,” the FBI instructed BleepingComputer.

“For each DOJ policy, we can not remark more on this ongoing investigation.”

REvil’s disappearance is likely not the close of the gang’s on the internet routines.

In the past the GandCrab ransomware operation shut down and rebranded as REvil, and it is expected that REvil will resurface again as a new ransomware procedure.

Update 7/22/21 9:42 PM EST: Included Emsisoft and FBI statements.