Almost three weeks now an attack on a ransomware An unknown computer software company called Kaseya it turned into a complete epidemic with hackers computers catching 1,500 companiesIncluding an important Swedish food chain. Last week, the famous group behind the hack disappeared from the internet, leaving victims with no way to pay for and release their systems. But now it seemed that the situation was about to finally be resolved, when a universal tool for decipherment appeared on Thursday.
It was as bad as the July 2 hack. Kaseya provides well-known IT management software among so-called managed service providers, which are companies that provide IT infrastructure to companies that would not like to deal with them. Using a bug in the MSP-oriented software called Virtual System Administrator, the REvil ransomware team was able to infect not only these targets but also their customers, creating a wave of catastrophe.
Meanwhile, the victims had two options to effectively: pay the ransom to recover their systems or recover what was lost through backups. For many individual businesses, REvil set the rescue at approximately $ 45,000. He tried to shake up the $ 5 million MSP. He also set the price of the original universal decoder at $ 70 million. The group was expected to drop to $ 50 million before disappearing, which is likely to be low at a time of high tension. When they disappeared, they took the payment portal. The victims were left stranded, unable to pay despite their wishes.
Kaseya spokeswoman Dana Liedholm confirmed to WIRED that the company has obtained a universal decipherer of a “trusted third party,” but did not specify who provided it. “We have a team that is actively working with our affected clients, and we will share more to find out how we will put the tool in place as these details become available,” Liedholm said in an email, adding that outreach to victims has already begun. with the support of the anti-virus company Emsisoft.
“We are working with Kaseya to achieve customer engagement,” Emsisoft threat analyst Brett Callow said in a statement. “We have confirmed that the key to unlocking the victim is effective and we will continue to provide support to Kaseya and her clients.”
The Mandiant security company has been working with Kaseya on a more extensive way of repair work, but a Mandian spokesman has sent WIRED to Liedholm to find out who gave the decryption key and how many more victims are still demanding.
The ability to release all devices that remain encrypted is undeniable good news. But the number of victims to help at this time can be a relatively small part of the initial wave. “The key to decryption is certainly helpful for some customers, but it’s likely to be too late,” says Jake Williams, CEO of the security company BreachQuest, which has a large number of customers who were successful in the REvil campaign. That’s what anyone who can recover their data, through backups, payments or other, would probably do it now. “The cases that can help the most are when there is special data in an encrypted system that is in no way significantly meaningful,” Williams says. “In such cases, if we have critical data, we recommend that these organizations pay for the disabling keys immediately.”
Many of the victims of REvil were small and medium-sized enterprises; As an MSP customer, they are definitely the types who prefer to outsource their IT needs, which means they are less likely to easily get reliable backups. However, there are other ways to reconstruct the data, even if you send it to customers and vendors and ask them to start over from scratch. “Hardly anyone would have hoped for the key,” Williams says.