Software company’s unveiling of decryption key comes too late for many victims of devastating ransomware attack



On Thursday, software company Kaseya announced that it could help unlock one of its customers’ systems that were still inaccessible following a devastating ransomware attack earlier this month that destroyed up to 1,500 companies around the world. But for many victims, it was too little, too late.

Kaseya had obtained a decryption key, the company said, which could release any files still locked by malware produced by the criminal gang REvil, which is said to be operating out of Eastern Europe or Russia.

For organizations whose systems were still offline three weeks after the attack, the new availability of a decryption tool offered a sign of hope, especially after REvil mysteriously disappeared from the Internet and left many behind. organizations unable to contact the group.

But for many others who have already recovered without Kaseya’s help, either paying the gang for ransomware weeks ago or painstakingly restoring from backups, the announcement was of no help. help – and opens a new review chapter for Kaseya as he refuses to answer questions about how he got the key and whether he paid the ransom note of $ 70 million or some other amount.

“It would have been really nice to have three weeks ago; we have now spent over 2,000 hours of recovery, ”said Joshua Justice, CEO of IT vendor Just Tech, who worked around the clock for almost two weeks to get the systems of more than 100 customers back up and running. from Just Tech backups. maintains. “Of course our customers couldn’t expect us to stay seated.”

Justice confirmed that the tool Kaseya made available worked for him. Kaseya spokesperson Dana Liedholm told CNN in a statement Friday that “less than 24 hours” had passed between when he got the tool and when he announced its existence, and that it was providing the decryption key to tech support companies that are its customers – which in turn, will use the tool to unlock the computers of countless restaurants, accounting offices and dental practices affected by the hack.

In order to access the tool, Kaseya requires companies to sign a nondisclosure agreement, according to several cybersecurity experts working with the companies concerned. While such agreements are not unusual in the industry, they could make it more difficult to understand what happened after the incident. Kaseya declined to comment on the nondisclosure agreements.

Some companies affected by REvil’s malware are frustrated with Kaseya’s deployment of the tool weeks after the initial attack, according to Andrew Kaiser, vice president of sales at cybersecurity firm Huntress Labs, which works with three companies. support staff affected by the hack.

“I spoke to a service provider yesterday,” Kaiser told CNN, “who said,“ Hey listen, we’re a 10-20-person company. We have spent over 2,500 person-hours restoring from this across our business. If we had known there was potential to get this decryptor a week or 10 days ago, we would have made very different decisions. Now we’re down to 10 or 20 systems that could benefit from it.

Most companies in the same position have chosen to eat up the recovery costs rather than passing them on to customers, Kaiser said, which means they may have wasted work, time and money. to perform self-recovery in the event of a crisis.

While some companies have managed to recover from the attack on their own, many others have struggled for weeks to no avail. The problem worsened when REvil’s websites disappeared, making it impossible to contact the group to make ransom payments or request technical assistance. The group’s unexplained disappearance has led to much speculation that the US or Russian government may have become involved, although neither country has claimed credit. US officials declined to comment and a Kremlin spokesperson denied any knowledge of the matter.

Cyber ​​security firm GroupSense was working with two organizations, a small to medium-sized private school and a law firm, which found themselves holding the bag when they could no longer communicate with REvil.

“We were in active negotiations with REvil when they went offline,” GroupSense chief intelligence officer Bryce Webster-Jacobsen told CNN earlier this week. “Immediately what we got from the victims we were working with was, ‘Wait, wait, what do you mean by these guys who are offline? What does this mean to us? ‘”

Other victims had already paid a ransom to REvil. One of those organizations was having trouble using the key it got from the group, said Critical Insight, a cybersecurity company the victim hired to help. But with REvil’s sudden disappearance, the victim found himself stranded, according to Mike Hamilton, co-founder of Critical Insights. The victim, who declined to be named and did not have reliable backups, feared having to return to her clients to request new copies of all the data she needed to complete her plans.

Kaseya’s announcement this week will likely mean eventual restoration of data from these victims. But that doesn’t change the resources they had to spend and the heart-wrenching decisions they had to make, during the long time between when the attack happened and when Kaseya announced a cracker. which victims did not know was a possibility. .

“Three, four, five more days could be the difference between a business that continues to operate and she says, ‘We can’t move forward,’” Kaiser said.

This sort of conundrum has been factored into the Biden administration’s thinking as law enforcement and intelligence officials explored taking the ransomware groups offline, people familiar with the discussions said. . The National Security Council in particular has studied how to avoid indirectly injuring victims who may not be able to recover their data if criminal groups are dismantled or disappear.

The administration has increasingly moved to disrupt ransomware networks, track ransom payments and build an international coalition against cybercrime. But officials have steadfastly declined to say whether the U.S. government played a role in REvil’s demise. The group, which is also accused of carrying out the recent ransomware attack on meat supplier JBS Foods, went offline shortly after a senior administration official vowed that US authorities would take action. against ransomware groups “in the days and weeks to come”.

Basic cybersecurity hygiene is the best way for businesses to get vaccinated against ransomware, an NSC spokesperson told CNN. But for victims, the administration is examining how its ransomware development strategy might affect them, the spokesperson said.

As more organizations accept Kaseya’s decryptor offer, it is possible that more information will come to light on how the company obtained the tool, Kaiser said.

Until then, cybersecurity experts had to guess what could have happened. Several experts have agreed that the theories fall largely into a few main buckets.

It is technically possible, but unlikely, that Kaseya or any of its partners were able to reverse engineer the tool from the ransomware, said Drew Schmitt, senior threat intelligence analyst at GuidePoint Security. Groups like REvil tend not to leave vulnerabilities in their code that can be exploited, he added.

A more plausible theory, he said, is that Kaseya received help from law enforcement officials. If REvil’s disappearance was in fact the result of a government-led operation, authorities may have seized a decryptor they could use to help Kaseya, several cybersecurity experts have said.

It’s also possible that REvil himself handed over the decryptor, either on purpose or under pressure from US or Russian authorities, said Kyle Hanslovan, CEO of Huntress Labs.

But the most likely scenario is also the simplest, Schmitt said: that Kaseya or someone acting on her behalf paid the ransom.

This raises other questions Kaseya did not answer: Did the company pay a ransom? If so, when? If the company contacted REvil after her disappearance, how did they communicate?

“There are a lot of scenarios that could have happened, but we don’t have a lot of information to say one way or the other,” said Schmitt, who added that information on the response from Kaseya on Attack “could serve as a case study for future situations going forward.


Leave A Reply