Kaseya, the Miami-based company at the center of a ransomware attack on hundreds of businesses over the Fourth of July holiday weekend, said on Thursday that it had received a key that would help customers unlock access to their data and networks.
The mystery is how the company obtained the key. Kaseya said only that it had obtained the key from a “third party” on Wednesday and that it was “effective at unlocking victims.”
The development is among the latest mysteries surrounding the Kaseya attack, in which a Russia-based ransomware group called REvil, short for Ransomware Evil, breached Kaseya and used it as a conduit to extort hundreds of Kaseya customers, including grocery and pharmacy chains in Sweden and two towns in Maryland, Leonardtown and North Beach.
The attack set off emergency meetings at the White House and prompted President Biden to call President Vladimir Putin of Russia and demand that he address the ransomware attacks stemming from inside his borders.
Within days of the call, REvil went dark. Gone was REvil’s “Happy Blog,” where it published emails and files stolen from REvil’s ransomware victims. Gone was its payment platform. Its most notorious members suddenly disappeared from cybercrime forums.
It is unclear whether REvil took itself offline on its own volition or at the command of the Kremlin, or whether the Pentagon’s hackers at Cyber Command had played any role. But it was a loss for Kaseya’s victims, who were still in the process of negotiating to get data back when their extortionists suddenly vanished.
Kaseya’s announcement that it had recovered the key was a welcome twist. Often when ransomware groups do turn over decryption tools to victims who have met their extortion demands, the tools are slow or ineffective. But in this case, Brett Callow, a threat researcher at EmsiSoft, a security firm that is working with Kaseya, confirmed the decryptor was “effective.”
José María León Cabrera and Julie Turkewitz contributed reporting.