Kaseya, the Miami-based company that was the focus of a ransomware attack on hundreds of companies over the July 4th holiday weekend, said Thursday it had received a key that would help customers gain access to their data and networks unlock.
The secret is how the company got the key. Kaseya only said that it received the key from a “third party” on Wednesday and that it was “effective at unlocking victims.”
The development is one of the latest mysteries surrounding the Kaseya attack, in which a Russia-based ransomware group called REvil, short for Ransomware Evil, invaded Kaseya and used it as a channel to blackmail hundreds of Kaseya customers, including groceries and pharmacy chains in Sweden and two cities in Maryland, Leonardtown and North Beach.
The attack sparked emergency meetings at the White House and prompted President Biden to call Russian President Vladimir Putin and request that he address the ransomware attacks within his borders.
Within days of the call, REvil went dark. Gone was REvil’s “Happy Blog” which published emails and files stolen by REvil’s ransomware victims. Gone was his payment platform. Its most notorious members suddenly disappeared from cyber crime forums.
It is unclear whether REvil went offline at its own request or by order of the Kremlin, or whether the Pentagon hackers played a role in Cyber Command. But it was a loss to Kaseya’s victims, who were still negotiating to get data back, when their blackmailers suddenly disappeared.
Kaseya’s announcement that he had found the key was a welcome twist. When ransomware groups hand over decryption tools to victims who have fulfilled their extortion demands, the tools are often slow or ineffective. But in this case, Brett Callow, a threat researcher at EmsiSoft, a security firm that works with Kaseya, confirmed that the decryptor was “effective.”
José María León Cabrera and Julie Turkewitz contributed to the coverage.