19 days after REvil’s ransomware attack on Kaseya VSA systems, there’s a fix

Just ahead of the July 4th holiday weekend, a ransomware attack targeted organizations using Kaseya VSA remote management software. The outfit behind the attack, REvil, initially requested a $70 million ransom and claimed to have locked down millions of devices. That was before REvil suddenly went offline on July 13th, disconnecting its servers, abandoning forums, and shutting down a page on the dark web used to communicate with victims.

Now, Kaseya says it has obtained a universal decryptor from a “third party” that can restore data encrypted during the attack. The company has not said how it came by this technology, telling Bleeping Computer that it could not confirm or deny any ransom payment had occurred.

On 7/21/2021, Kaseya obtained a decryptor for victims of the REvil ransomware attack, and we’re working to remediate customers impacted by the incident.

We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor. Kaseya is working with Emsisoft to support our customer engagement efforts, and Emsisoft has confirmed the key is effective at unlocking victims.

NBC News reporter Kevin Collier first reported the decryption tool’s existence and speculates that one of three sources is likely behind the key: the US government, the Russian government, or a ransom payment to the attackers.

Kaseya says cybersecurity firm Emsisoft confirmed the restoration tool is “effective,” and now it’s working with victims of the attack to decrypt affected systems. It’s unknown how much help the tool will offer, coming several weeks after the attacks, but it’s better than nothing.