Kaseya obtained a universal decryptor for REvil ransomware attack

Pierluigi Paganini July 23, 2021

The software provider Kaseya announced to have obtained a universal decryptor for the REvil ransomware.

Earlier this month, a massive supply chain attack conducted by the REvil ransomware gang hit the cloud-based managed service provider platform Kaseya, impacting both other MSPs using its VSA software and their customers.

The VSA tool is used by MSPs to perform patch management and client monitoring for their customers. Like other supply chain attacks, the REvil ransomware operators initially compromised Kaseya VSA’s infrastructure, then pushed out malicious updates for VSA on-premises servers to infect the enterprise networks.

For the initial attack vector, REvil operators exploited an authentication bypass zero-day (CVE-2021-30116) in the web interface of the Kaseya VSA server to gain an authenticated session. Then, the attackers uploaded the payload and executed a command via SQL injection to deploy the malicious updates. Ransomware operators initially asked the owners of systems infected in this campaign $44,999 worth of Bitcoin. Later, they changed tactics and demanded a single massive ransom of $70 million from all of the victims.

Kaseya now announced to have received a universal decryptor that allows victims of the ransomware attack to recover their files for free.

Kaseya now announced to have received by trusted third-party a universal decryptor that allows victims of the ransomware attack to recover their files for free.

The software firm tested the tool and verified that it successfully recover the files encrypted with the REvil ransomware, now the company is providing the tool to its customers to help them to restore the encrypted systems.

The company confirmed that fewer than 60 of its customers and less than 1,500 businesses have been impacted by the attack.

“While impacting approximately 50 of Kaseya’s customers, this attack was never a threat nor had any impact to critical infrastructure. Many of Kaseya’s customers are managed service providers, using Kaseya’s technology to manage IT infrastructure for local and small businesses with less than 30 employees, such as dentists’ offices, small accounting offices and local restaurants. Of the approximately 800,000 to 1,000,000 local and small businesses that are managed by Kaseya’s customers, only about 800 to 1,500 have been compromised.” reads a statement published by the company.

Since most of Kaseya’s customers are managed service providers, companies that provide IT support to their own customers, Kaseya said that the number of companies impacted in the July 2 attack was most likely between 800 and 1,500, based on its estimation.

Starting the night of July 13, the infrastructure and the websites used by the REvil ransomware gang were mysteriously unreachable, BleepingComputer reported.

“The REvil ransomware operation, aka Sodinokibi, operates through numerous clear web and dark web sites used as ransom negotiation sites, ransomware data leak sites, and backend infrastructure.” reported BleepingComputer. “Starting last night, the websites and infrastructure used by the REvil ransomware operation have mysteriously shut down.”

The Tor leak site, the payment website “decoder[.]re”, and their backend infrastructure went offline simultaneously.

Now the availability of a universal decryptor made the headline, but the company did not reveal if it has obtained the tool after the payment of the ransom.

We cannot exclude that the REvil operators have released the decryptor for free to avoid the pressure of the authorities and law enforcement.

For an in-depth analysis of the Kaseya ransomware attack give a look at the following post:


Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Kaseya)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment