Kaseya received a universal decryptor that allows victims of the REvil ransomware attack on July 2 to recover their files for free.
On July 2, the REvil ransomware operation launched a massive attack by exploiting a zero-day vulnerability in the Kaseya VSA remote management application to encrypt approximately sixty managed service providers and approximately 1,500 companies.
After the attack, threat actors demanded $ 70 million for a universal decryptor, $ 5 million for MSP, and $ 40,000 for each encrypted extension on a victim’s network.
Revil’s $ 70 million ransom demand
Soon after, the REvil ransomware gang mysteriously disappeared and threat actors shut down their payment sites and infrastructure.
While most of the victims did not pay, the disappearance of the gang prevented companies that may have needed to buy a decryptor from doing so.
Today, Kaseya has stated that they received a universal decryptor for the ransomware attack from a “trusted third party” and are now distributing it to affected customers.
“We can confirm that we obtained a decryptor from a trusted third party, but we cannot share more about the source,” Dana Liedholm, Kaseya’s senior vice president of corporate marketing, told Bleeping Computer.
“We had the tool validated by an additional third party and began delivering it to our affected customers.”
While Kaseya did not share information about the source of the key, they confirmed with BleepingComputer that it is the universal decryption key for the entire attack, allowing all MSPs and their clients to decrypt files for free.
When asked if they paid a ransom to receive a decryptor, Kaseya told BleepingComputer that they “cannot confirm or deny that.”
It is unclear what caused the REvil ransomware operation to shut down and go into hiding, and several international law enforcement agencies have told BleepingComputer they were not involved in its disappearance.
Following the attack on JBS and Kaseya, the White House has lobbied the Russian government to do something about the ransomware gangs believed to be operating in Russia.
The Russian government is believed to have told the REvil ransomware gang to shut down and disappear to show that they were working with the US.
As the decryptor was obtained after the demise of the REvil gang, Russia may have received it directly from the ransomware gang and shared it with the US police as a gesture of goodwill.
REvil’s disappearance is probably not the end of the gang’s online activities.
In the past, the GandCrab ransomware operation was shut down and renamed REvil, and REvil is expected to resurface again as a new ransomware operation.