Kaseya obtains 'universal decryptor key' to unlock cyber-attack victims

The company's VSA tool was hit by REvil ransomware on 2 July

IT management software firm Kaseya has obtained a "universal decryptor key" for those businesses impacted by the REvil ransomware attack that took place on 2 July.

The Russian-speaking group, whose dark web blog has now disappeared from the internet, used the company's VSA tool, which MSPs use to help monitor their clients' networks, to spread ransomware throughout its MSP client base and their customers.

Kaseya estimated that "approximately 50" of its on-premise MSP customers and 800-1,500 business were impacted by the one of the biggest cyber-attacks to date, with both its on-premise and SaaS servers eventually coming back online ten days after the attack following several delays.

The firm claims it now has a decryptor for those directly impacted by the attack, which was obtained "from a third party", and has teams "actively helping customers affected by the ransomware to restore their environments".

Kaseya did not say how it obtained the decryptor, only that it was working with anti-virus software company Emsisoft to support its "customer engagement efforts" and that it had "confirmed the key is effective at unlocking victims".

REvil demanded $70m in bitcoin as a ransom to release what it called a "universal decryptor" but it is unclear whether Kaseya, or any MSPs and businesses, paid individual ransoms to unlock their systems.

Following the attack, the Dutch Institute for Vulnerability Disclosure claims it identified seven vulnerabilities in Kaseya's software to the company back in April, and that one of those used in the attack had been highlighted.

It stressed that Kaseya was co-operative and "addressed some of them by releasing a patch" which was then followed by another patch soon after, but that it was "beaten by REvil in the final sprint".