In July, after the bold ransomware attack on Kaseya’s IT systems, CISA and the FBI emerged with guidance for affected enterprises. More than 1,500 firms were affected, including roughly 60 managed service providers (MSPs). The attack retained such vast reach that international law enforcement agencies bore down on the ransomware group behind the attack.
What neither Kaseya nor the public knew was that the FBI had the ransomware decryption key within its possession. Why the FBI held back the ransomware decryption key was initially a bit of a mystery.
Had the FBI provided the decryption key to Kaseya and affected customers, which ranged in nature from schools to hospitals, millions of dollars could have been saved, according to cyber security analysts. Yet, others contend that the needs of the many may not have outweighed the needs of these relatively ‘few’.
The decryption key details…
On July 21st, more than two weeks after the ransomware attack occurred, the FBI released information denoting its ownership of the decryption key. “The FBI must be cautious and deliberate in what is provided to victims,” said the agency in a statement. Nonetheless, organizations expressed outrage over the deliberate disuse of the decryption key.
Many of the affected organizations restored data from backups. The process proved painstaking.
Kaseya clients without decryption keys
At least one of Kaseya’s MSP customers resorted to the restoration of clients’ systems from scratch. Employees worked around the clock (18 hour shifts) for over a month to ensure that their infrastructure and their clients’ infrastructure eventually operated both reliably and efficiently.
“I had grown individuals crying to me in person and over the phone asking if their business was going to continue,” said an MSP customer spokesperson. Clients wondered about whether downed infrastructure meant that they should abandon their enterprises altogether, and in some cases, retire early.
Universal decryption key realities
The FBI states that one reason for holding onto the decryption key for weeks was to ensure its validity. Statements expressed that the organization wished to ensure that it did not pose broader threats to Kaseya or to other organizations. The FBI contends that they obtained the decryption key by boring into REvil’s servers. The REvil ransomware gang has a different story.
After REvil resurfaced earlier this month, the group commented on the universal decryption key. According to REvil, one of the gang’s coders accidentally released the key. Someone mis-clicked and generated a universal decryptor. The individual then offered it externally.
REvil’s reemergence and what that means
In related news, researchers have found that REvil’s leadership may have squeezed the group’s partners and affiliates out of their cuts of ransomware payments. A backdoor may have been used to enable the original REvil members to hijack communications with victims. In turn, this enabled REvil to collect 100% of payments.
The group has a history of leveraging high-pressure tactics to extort a range of victims for millions of dollars. Since REvil’s recent reappearance, at least eight new victims reported attacks via the group’s ransomware, including a legal aide society for the poor.
Next, for more insights into the Kaseya attack, and why the FBI held back the Kaseya ransomware decryption key, click here. In addition, see this ransomware resource. Finally, for further cutting-edge analysis and executive-level resources, sign up for the Cyber Talk newsletter, here.