In July, after the bold ransomware attack on Kaseya’s IT systems, CISA and the FBI emerged with guidance for affected enterprises. More than 1,500 firms were affected, including roughly 60 managed service providers (MSPs). The attack retained such vast reach that international law enforcement agencies bore down on the ransomware group behind the attack.
What neither Kaseya nor the public knew was that the FBI had the ransomware decryption key within its possession. Had the FBI provided the decryption key to Kaseya and affected customers, which ranged in nature from schools to hospitals, millions of dollars could have been saved, according to cyber security analysts. At the same time, others contend that the needs of the many may not have outweighed the needs of these relatively ‘few’.
The decryption key details…
On July 21st, more than two weeks after the ransomware attack occurred, the FBI released information denoting its ownership of the decryption key. “The FBI must be cautious and deliberate in what is provided to victims,” said the agency in a statement.
Many of the affected organizations restored data from backups. It is unclear as to how many used the decryption key.
Kaseya clients without decryption keys
At least one of Kaseya’s MSP customers was forced to restore clients’ systems from scratch. Employees worked around the clock (18 hour shifts) for over a month to ensure that their infrastructure and their clients’ infrastructure would be up and running again relatively quickly.
“I had grown individuals crying to me in person and over the phone asking if their business was going to continue,” said an MSP customer spokesperson. Clients wondered about whether downed infrastructure meant that they should abandon their enterprises altogether, and in some cases, retire early.
Universal decryption key realities
The FBI states that one reason for holding onto the decryption key for weeks was to ensure its validity and that it would not pose broader threats to Kaseya or to other organizations. The FBI contends that they obtained the decryption key by boring into REvil’s servers. The REvil ransomware gang has a different story.
After REvil resurfaced earlier this month, the group commented on the universal decryption key. According to REvil, the key had accidentally been released by one of the gang’s coders. Someone allegedly mis-clicked and generated a universal decryption key. The individual then offered it externally.
REvil’s reemergence and what that means
Researchers have found that REvil’s leadership may have squeezed the group’s partners and affiliates out of their cuts of ransomware payments. A backdoor may have been used to enable the original REvil members to hijack communications with victims, enabling them to collect the entirety of the payment.
The group has a history of leveraging high-pressure tactics to extort a range of victims for millions of dollars. Since REvil’s recent reappearance, at least eight new victims have been hit with the group’s ransomware, including a legal aide society for the poor.
Could your enterprise be next? For more insights into the global spotlight on ransomware and what REvil’s reemergence might mean for your business, click here. For further cutting-edge analysis and executive-level resources, sign up for the Cyber Talk newsletter, here.