[German]Hope for victims of the supply chain attack on the US software manufacturer Kaseya, as a result of which the systems of around 1,500 customers worldwide were infected with ransomware and the stored data was encrypted. The manufacturer Kaseya has now probably received a master key for decryption and hopes to be able to rescue the customers' data. Addendum: It looks like Kaseya requires victims to sign a non-disclosure agreement (NDA) before there is a decryption solution.
Background to the case
In early July 2021, there was a successful supply chain attack on Kaseya VSA. This is remote management and monitoring (RMM) software used by many managed service providers (MSPs). The supply chain attack delivered malware to all customer systems where VSA was in use. I had reported here on the blog (see links at the end of the article).
As a result of the malware infection, the REvil Ransomware group's encryption Trojan struck and encrypted the IT systems of approximately 1,500 companies worldwide. At the Swedish Coop Group, 800 supermarkets had to close (see Coop-Sweden closes 800 stores after Kaseya VSA supply chain attack by REvil gang).
Gradually, more details are becoming known. For example, the vulnerability exploited for the attack was reported to Kaseya in April 2021 – and a vulnerability known since 2015 is still open in their management software. It is also known that the REvil group first demanded $70 million, and later $50 million, for the release of a master key. However, this group has recently disappeared from the scene (see REvil REvil Ransomware Group server and infrastructure is shut down).
Kaseya has a universal decryptor key
On July 22, 2021, Kaseya announced that it had obtained a Universal Decryptor key for the encrypted data "from a third party."
On 7/21/2021, Kaseya obtained a decryptor for victims of the REvil ransomware attack, and we're working to remediate customers impacted by the incident.
We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor. Kaseya is working with Emsisoft to support our customer engagement efforts, and Emsisoft has confirmed the key is effective at unlocking victims.
We remain committed to ensuring the highest levels of safety for our customers and will continue to update here as more details become available.
Customers who have been impacted by the ransomware will be contacted by Kaseya representatives.
What exactly happened remains unclear. Security researchers had speculated that only one victim had to pay to get a key that would enable decryption for all victims. Kaseya is working with Emsisoft on the decryption. Anyone affected will need to contact Kaseya support for more details. (via)
Kaseya demands NDA from victims
Addendum: It looks like Kaseya is requiring victims to sign a non-disclosure agreement (NDA) before there is a decryption solution. I just came across the following tweet.
It says that Kaseya's sales department does not respond to customer inquiries and if something does come back, a confidentiality agreement to be signed. With such vendors you don't need another enemy, I guess.
Huntress published this blog post detailing the supply chain attack.
Similar articles:
REvil Ransomware attack at 200 Companies via Kaseya VSA and Management Service Provider (MSP)
Coop-Sweden closes 800 stores after Kaseya VSA supply chain attack by REvil gang
Follow-up to the Kaseya supply chain attack