Kaseya, which sells IT software to businesses all over the world, yesterday announced that it had “obtained a universal decryptor key” that can be used to undo the effects of a July 2 ransomware attack that crippled its clients’ operations. The hackers had demanded $70 million in BTC.
A Kaseya spokesperson told reporters that the tool came from a “trusted third party” but declined to provide further details.
Updates Regarding VSA Security Incident
July 3, 2021 – 10:30 AM EDT https://t.co/B2lvcxOvdm
— Kaseya Corp (@KaseyaCorp) July 3, 2021
Ransomware is malicious software that locks users out of their computer networks until they pay the hackers responsible, often in BTC, which can be sent without going through a bank (where it would be easier to track the recipients).
JBS USA, one of the largest meatpackers in the U.S., paid $11 million in BTC to Russian cyber criminals REvil in June so that it could restart its meat plants and get one-quarter of the nation’s beef supply back into grocery stores.
In May, Colonial Pipeline, which controls the flow of nearly half the fuel along the East Coast, made a $4.4 million payment to another Russia-linked hacking group, DarkSide. In that instance, federal law enforcement officials were able to recover much of the ransom, citing Colonial’s quick communication with the Department of Justice as a reason.
All of which leads one to suspect that Kaseya may have also paid the $70 million ransom, either with or without coordination from the U.S. government. Last year, the Treasury Department warned companies against paying hacking groups directly or through intermediaries, lest they run afoul of U.S. sanctions against the recipients. House Oversight Chair Carolyn Maloney pressed that issue again this June after the Colonial Pipeline attack.
There are other explanations as to how Kaseya got the encryption tool, one of which is that U.S. pressure on Russia is working. President Joe Biden told Russia President Vladimir Putin earlier this month that Russia would be held responsible for ransomware operations based in Russia—even if they’re not state-supported—provided the U.S. shares information Russia can act upon. Less than a week later, the website for REvil went offline. Either country may have worked toward getting the encryption key.
Alternatively, affected Kaseya clients may have pitched in.
Blockchain analytics firm Chainalysis estimates that, as of mid-May, hackers had received at least $81 million in ransomware payments this year alone. To deal with it, the U.S. has set up a Ransomware Task Force. Its allies in the G7 have committed resources to fighting it as well.