Kaseya Obtains Universal Decryptor for Ravil Ransomware
In the wake of the attacks, the Ravil gang (aka Sodinokibi) demanded $70 million for a universal public decryption key that will remediate all impacted victims – a price that one researcher said was eventually lowered to $50 million.
Late on Thursday afternoon, the vendor announced via its rolling advisory on the incident that it had obtained the decryptor “through a third party.” It’s unclear if the ransom was indeed paid.
It stated that Kaseya had obtained the tool from third parties and that it has teams working to help customers affected by ransomware restore their environments. There have been no reports of any problems or issues with the decryptor. “Kaseya has partnered with Emsisoft in support of our customer engagement efforts. Emsisoft confirmed that the key works effectively at unlocking victims… Kaseya representatives will contact customers who have been affected by the ransomware.”
Deepening the mystery is the fact that evil as a criminal organization went dark July 13, when its sites vanished and representatives were banned on prominent underground forums.
Emsisoft won’t reveal any further information. “We are working alongside Kaseya in support of their customer engagement efforts,” Emsisoft stated in a statement to Threatpost. “We have confirmed that the key works effectively in unlocking victims, and will continue to support Kaseya’s customers.”
Threatpost reached out to Kaseya and will update this article with any additional information.
“The sudden appearance of this universal key suggests that ransom might have been paid,” Ivan Righi (cyber-threat intelligence analyst at Digital Shadows), said via email.
The Nightmare isn’t Over Despite the Decryption
Researchers warned that even though the master encryption key was obtained, it is not safe to assume the attack is over. Ravil is well-known for its double-extortion tactics, in which company data is taken and ransomware is applied.
Righi stated that the group could still possess copies of victims’ data. The group could sell the data or extort victims, as it did in the past via its Happy Blog.
Erich Kron, the security awareness advocate for KnowBe4, stated that remediation is more than just applying the unlocking mechanism on files.
He noted via email that “significant damage has already been done in the way of downtime, recovery costs and both currently and in future,” Even if the data is encrypted, it’s still expensive to restore data and devices. The data cannot be decrypted to resolve any issues that may remain, like potentially used backdoors that attackers might use later. There is much more work to be done.
Tim Wade, the technical director of the CTO team at Vectra said there may be more unpleasant surprises for victims after the attacks.
He warned that “From a distance, the emergence of master keys may seem more comforting than it should.” While the value of speeding up the restoration of data services and services should not be underestimated, it will not erase the enormous cost of these attacks. This is both a direct result of the historical disruption and also due to the proclivity for criminal operators to leave behind lingering backdoors, the ongoing necessity to rebuild the compromised infrastructure to a trustworthy, clean state. It may be possible to sidestep the way this key was acquired. However, there are still some benefits.
Snowball of Supply-Chain Attacks on MSPs
Although this attack was significant and extensive, it is not the first cyberattack that has affected MSPs or their downstream customers this year. The Clop ransomware gang for instance went after the Accellion legacy FTA software for file transfers in February; multiple Accellion FTA customers, including the Jones Day Law Firm, Kroger, Shell, and Singtel were all affected.
Researchers noted that the incidents are a lesson for all organizations when it comes to MSP business.
Kron stated that trusting external entities with keys to the kingdom is a grave risk for an organization. Kron said that MSPs have to protect customers when they are granted access to this information. If ransomware has taken down an organization’s backups or encrypted backups leaving them vulnerable, it is a good time to talk with service providers to help eliminate this threat.