‘We are confirming in no uncertain terms that Kaseya did not pay a ransom’

Kaseya has denied rumors that it paid a ransom to the REvil cybercrime gang as it continues to roll out a decryptor to victims of a recent ransomware attack.

The software supply chain attack, which began on July 2, is believed to have affected up to 1,500 organizations via the hack of IT management platform Kaseya VSA.


BACKGROUND REvil ransomware attackers demand $70m following Kaseya VSA supply chain attack


Kaseya revealed on July 22 that it had obtained a decryption tool from a “third party” and was working to restore the environments of impacted organizations with the help of anti-malware experts Emsisoft.

Speculation

The update sparked speculation as to the identity of the unnamed third party, with Allan Liska of Recorded Future’s CSIRT team positing a disgruntled REvil affiliate, the Russian government, or that Kaseya themselves had paid the ransom.

The theory that the universal decryptor key became available because of law enforcement action was strengthened on July 13 when the dark web domains associated with REvil abruptly went offline.


Catch up on the latest ransomware-related news and analysis


However, some experts also said it was likely that this was a prelude to REvil, whose other notable scalps include Travelex and meat supplier JBS, rebranding itself in a bid to dodge law enforcement.

Non-disclosure agreement

The cybercrime outfit was believed to have initially demanded a payment of $70 million from Kaseya, before lowering the asking price to $50 million.

Kaseya, which has reportedly granted organizations access to the decryptor contingent on signing a non-disclosure agreement, addressed rumors that it had paid a ransom in a statement yesterday (July 26):


Recent reports have suggested that our continued silence on whether Kaseya paid the ransom may encourage additional ransomware attacks, but nothing could be further from our goal. While each company must make its own decision on whether to pay the ransom, Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack and we have not wavered from that commitment. As such, we are confirming in no uncertain terms that Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor.


Kaseya said that “the decryption tool has proven 100% effective at decrypting files that were fully encrypted in the attack”.

It added: “We continue to provide the decryptor to customers that request it, and we encourage all our customers whose data may have been encrypted during the attack to reach out to your contacts at Kaseya”.

More zero-days

Last week, meanwhile, security researchers from the organization that unearthed the zero-day Kaseya vulnerabilities exploited by REvil disclosed a trio of additional zero-day flaws in another Kaseya product.

The Dutch Institute for Vulnerability Disclosure (DIVD) advised users of cloud-based Kaseya Unitrends, which is available as an add-on for Kaseya VSA, not to expose the service to the internet until a patch was released.

Also last week, Huntress Labs released a blog post speculating on why the compromise of 60 upstream, managed service provider customers via a fake software update hadn’t had even more calamitous consequences.

Dismissing the idea that Kaseya’s system shutdown was the primary reason, security researcher John Hammond pondered, among other potential reasons, whether threat actors had learned “from previous incidents (like Colonial Pipeline) that a much larger impact might invite government intervention?”


RELATED No More Ransom celebrates success in helping 600k people recover from ransomware attacks