Ransomware Decryption Key Obtained by Kaseya

A decryption key capable of unlocking the files of hundreds of businesses affected by the Kaseya ransomware attack is being distributed.

Miami-based IT firm Kaseya, who provide tech management tools to hundreds of businesses worldwide, were hit by a ransomware attack earlier this month. The attack affected up to 2000 businesses and organisations across the world, including a supermarket chain in Sweden and schools in New Zealand. Now, weeks after the ransomware attacks, Kaseya have gained access to a decryption key, allowing those affected to restore their files.

The perpetrators of the attack – the criminal ransomware gang REvil, demanded $70m worth of Bitcoin in exchange for the decryption key. It’s possible Kaseya paid the ransom, although a spokesperson for Kaseye, Dana Liedholm, would not say whether or not this was the case, only that it had come from a “trusted third party”. Another possibility is that the key may have been seized by officials from the Kremlin in Russia, before being handed over to Kaseya.

Curiously, the REvil group disappeared from the internet earlier this week, potentially indicating the voluntary handing over of the decryption key. REvil’s websites mysteriously disappeared on 13th July, and people were unable to connect to the sites the gang used to communicate with victims and collect ransom payments. Days after REvil’s disappearance, the key found its way to Kaseya. REvil have been linked to a string of ransomware attacks, including one that hit JBS Foods earlier this year. Joe Biden warned Russia that there would be consequences if they failed to address the escalation in ransomware attacks believed to be originating from its borders, and the Biden administration has made combatting ransomware a top priority.