Technology

The Kaseya Ransomware Nightmare Is Almost Over

The Kaseya Ransomware Nightmare Is Almost Over thumbnail

Nearly three weeks ago, a ransomware attack against a little-known IT software company called Kaseya spiraled into a full-on epidemic, with hackers seizing the computers as many as 1,500 businesses, including a major Swedish grocery chain. Last week, the notorious group behind the hack disappeared from the internet, leaving victims with no way to pay up and free their systems. But now the situation seemed close to finally being resolved, thanks to the surprise appearance on Thursday of a universal decryption tool.

The July 2 hack was about as bad as it gets. Kaseya provides IT management software that’s popular among so-called managed service providers, which are companies that offer IT infrastructure to companies that would rather not deal with it themselves. By exploiting a bug in MSP-focused software called Virtual System Administrator, the ransomware group REvil was able to infect not just those targets but their customers as well, resulting in a wave of devastation.

In the intervening weeks, victims had effectively two choices: pay the ransom to recover their systems, or rebuild what was lost through backups. For many individual businesses, REvil set the ransom at roughly $45,000. It attempted to shake down MSPs for as much as $5 million. It also originally set the price of a universal decryptor at $70 million. The group would later come down to $50 million before vanishing, likely in a bid to lay low during a high-tension moment. When they disappeared, they took their payment portal with them. Victims were left stranded, unable to pay even if they wanted to.

Kaseya spokesperson Dana Liedholm confirmed to WIRED that the company obtained a universal decryptor from a “trusted third party,” but did not elaborate on who provided it. “We have a team actively working with our customers who were affected, and will share more about how we will further make the tool available as those details become available,” Liedholm said in an emailed statement, adding that outreach to victims had already begun, with the help of antivirus firm Emsisoft.

READ:  Tesla owners reveal how they mine for Bitcoin and Ethereum with the electric car's battery and GPU

“We are working with Kaseya to support their customer engagement efforts,” said Emsisoft threat analyst Brett Callow in a statement. “We have confirmed the key is effective at unlocking victims and will continue to provide support to Kaseya and its customers.”

Security firm Mandiant has been working with Kaseya on remediation more broadly, but a Mandiant spokeserson referred WIRED back to Liedholm when asked for any additional clarity around who provided the decryption key and how many victims still required it.

The ability free up every device that remains encrypted is undeniably good news. But the number of victims left to help at this point may be a relatively small chunk of the initial wave. “The decryption key is probably helpful to some clients, but is likely too little too late,” says Jake Williams, CTO of security firm BreachQuest, which has multiple clients who were hit in the REvil campaign. That’s because anyone who could reconstitute their data, through backups, payment, or otherwise, likely would have done so by now. “The cases where it’s likely to help the most are those where there’s some unique data on an encrypted system that simply can’t be meaningfully reconstituted in any way,” Williams says. “In those cases, we recommended those orgs immediately pay for decryption keys if the data was critical.”

Many of the REvil victims were small and mid-sized businesses; as MSP customers, they’re definitionally the types who prefer to outsource their IT needs, which in turn means they may be less likely to have reliable backups readily available. Still, there are other ways to rebuild data, even if it means asking clients and vendors to send whatever they’ve got and start over from scratch. “It’s unlikely anyone was holding out hope for a key,” Williams says.

READ:  Ransomware incident exposes medical data in Pennsylvania

Still, for whatever stragglers do remain, today’s news represents the impending end of a weeks-long ordeal. It doesn’t, though, do much to ease broader concerns about the ransomware threat, or what the Kaseya campaign represented. Groups like Darkside and REvil and their affiliates—who give the main operators a cut of the proceeds in exchange for access to the malware—have become increasingly emboldened in recent months in both breadth and depth. Before Kaseya, REvil shut down food supply giant JBS. And before JBS, Darkside disrupted Colonial Pipeline, cutting off a large portion of the East Coast’s fuel supply.

Like REvil, Darkside vanished in the face of mounting legal and political pressure. But the people responsible for those attacks haven’t been identified or indicted, much less arrested. Security researchers broadly agree that it’s only a matter of time before they reemerge, likely under a different name but with the same cutthroat tactics. The latest ransomware scare appears to be resolved. The next one may already be underway.


More Great WIRED Stories

READ:  Cuba Ransomware Gang Abused Microsoft Certificates to Sign Malware

Read More

Learn More: technology clipart,technology student association,technology management,technology readiness level,technology acceptance model,technology gif,technology transfer,technology consultant,technology package,technology addiction awareness scholarship,is technology good or bad,technology networks,technology movies,technology gap,technology jokes,is technology limiting creativity,technology leadership,technology drive,technology zero,technology help,technology 100 years ago,technology project manager,technology house,technology unlimited,technology background images,technology readiness level dod,g technology ssd,technology economics definition,technology obsolescence,is technology science,technology life cycle

Leave a Reply

Your email address will not be published. Required fields are marked *