Software Company’s Decryption Key Unveiling Comes Too Late For Many Victims Of Devastating Ransomware Attack
Kaseya had obtained a decryption key, the company said, which could release any files still locked by malware produced by the criminal gang REvil, which is said to be operating out of Eastern Europe or Russia.
For organizations whose systems were still offline three weeks after the attack, the new availability of a decryption tool offered a sign of hope, especially after REvil mysteriously disappeared from the Internet and left many organizations behind. unable to contact the group.
But for many others who have already recovered without Kaseya’s help, either paying off the gang for ransomware weeks ago or painstakingly restoring from backups, the announcement was of no help. help – and opens a new exam chapter for Kaseya as she refuses to answer questions. how he got the key and whether he paid the ransom note of $ 70 million or some other amount.
“It would have been really nice three weeks ago; we’ve spent over 2,000 recovery hours now, ”said Joshua Justice, CEO of IT vendor Just Tech who worked around the clock for almost two weeks to get the systems of over 100 customers up and running again from. backups maintained by Just Tech. “Of course our customers couldn’t expect us to stay seated.”
Justice confirmed that the tool Kaseya made available worked for him. Kaseya spokesperson Dana Liedholm told CNN on Friday that “less than 24 hours” had passed between when he got the tool and when he announced its existence, and that he was providing the decryption key to tech support companies that are its customers – who in turn will use the tool to unlock the computers of countless restaurants, accounting offices, and dental practices affected by the hack.
In order to access the tool, Kaseya requires companies to sign a nondisclosure agreement, according to several cybersecurity experts working with the companies concerned. While such agreements are not unusual in the industry, they could make it more difficult to understand what happened as a result of the incident. Kaseya declined to comment on the nondisclosure agreements.
Frustration
Some companies affected by REvil’s malware are frustrated with Kaseya’s deployment of the tool weeks after the initial attack, according to Andrew Kaiser, vice president of sales at cybersecurity firm Huntress Labs, which works with three companies. support staff affected by the hack.
“I spoke to a service provider yesterday,” Kaiser told CNN, “who said,“ Hey listen, we’re a 10-20 person company. We have spent over 2,500 person-hours restoring from this across our business. . If we had known there was potential to get this decryptor a week or 10 days ago, we would have made very different decisions. Now we’re down to 10 or 20 systems that could benefit from it. ”
Most companies in the same position have chosen to eat up the recovery costs rather than passing them on to customers, Kaiser said, which means they may have wasted labor, time and money. to self-recover in the event of a crisis.
While some companies have managed to recover from the attack on their own, many others have struggled for weeks to no avail. The problem was compounded when REvil’s websites disappeared, making it impossible to contact the group to make ransom payments or request technical assistance. The group’s unexplained disappearance has led to much speculation that the US or Russian government may have become involved, although neither country has claimed credit. US officials declined to comment and a Kremlin spokesperson denied any knowledge of the matter.
Cyber security firm GroupSense was working with two organizations, a small to medium-sized private school and a law firm, which found themselves holding the bag when they could no longer communicate with REvil.
“We were in active negotiations with REvil when they went offline,” GroupSense chief intelligence officer Bryce Webster-Jacobsen told CNN earlier this week. “Immediately what we got from the victims we were working with was, ‘Wait, wait, what do you mean these guys are offline? What does this mean for us? “”
Other victims had already paid a ransom to REvil. One of those organizations was struggling to use the key it got from the group, said Critical Insight, a cybersecurity company the victim hired to help. But with REvil’s sudden disappearance, the victim found himself stranded, according to Mike Hamilton, co-founder of Critical Insights. The victim, who declined to be named and lacked reliable backups, feared having to return to her clients to request new copies of all the data she needed to complete her plans.
Kaseya’s announcement this week will likely mean eventual restoration of data from these victims. But that doesn’t change the resources they had to spend and the heart-wrenching decisions they had to make, during the long time between when the attack happened and when Kaseya announced a cracker. which victims did not know was a possibility. .
“Three, four, five more days could be the difference between a business that continues to operate and she says, ‘We can’t move forward,'” Kaiser said.
The conundrum for the Biden administration
This kind of conundrum has been echoed in the thinking of the Biden administration as law enforcement and intelligence officials explored taking the ransomware groups offline, people familiar with the discussions have said. . The National Security Council in particular has studied how to avoid indirectly harming victims who may not be able to recover their data if criminal groups are dismantled or disappear.
The administration has increasingly focused on disrupting ransomware networks, tracking ransom payments, and building an international coalition against cybercrime. But officials have steadfastly declined to say whether the U.S. government played a role in REvil’s demise. The group, which is also accused of carrying out the recent ransomware attack on meat supplier JBS Foods, went offline shortly after a senior administration official vowed that US authorities would take action. against ransomware groups “in the days and weeks to come”.
Basic cybersecurity hygiene is the best way for businesses to get vaccinated against ransomware, an NSC spokesperson told CNN. But for victims, the administration is examining how its ransomware development strategy might affect them, the spokesperson said.
As more organizations accept Kaseya’s decryptor offer, it is possible that more information will come to light on how the company got the tool, Kaiser said.
Until then, cybersecurity experts had to guess what could have happened. Several experts have agreed that the theories fall largely into a few main buckets.
It is technically possible, but unlikely, that Kaseya or one of its partners successfully reverse engineered the tool from the ransomware, said Drew Schmitt, senior threat intelligence analyst at GuidePoint Security. Groups like REvil tend not to leave vulnerabilities in their code that can be exploited, he added.
A more plausible theory, he said, is that Kaseya received help from law enforcement officials. If REvil’s disappearance was in fact the result of a government-led operation, authorities may have seized a decryptor they could use to help Kaseya, several cybersecurity experts have said.
It’s also possible that REvil himself handed over the decryptor, either on purpose or under pressure from US or Russian authorities, said Kyle Hanslovan, CEO of Huntress Labs.
But the most likely scenario is also the simplest, Schmitt said: that Kaseya or someone acting on her behalf paid the ransom.
This raises other questions Kaseya did not answer: Did the company pay a ransom? If so, when? If the company contacted REvil after her disappearance, how did they communicate?
“There are a lot of scenarios that could have happened, but we don’t have a lot of information to say one way or the other,” said Schmitt, who added that information on the response from Kaseya on Attack “could serve as a case study for future situations going forward.”
Comments are closed.