Kaseya deploys a master decryption key to unlock systems hit by REvil attack

It will help its customers affected by REvil's July 2nd ransomware attack.

AndreyPopov via Getty Images

Back on July 2nd, Russia-linked ransomware group REvil staged what ended up as a massive attack on IT management software giant Kaseya, as well as its clients and their customers. The group took advantage of vulnerabilities in the Kaseya software companies use to send out updates to computer networks, allowing it to distribute ransomware to as many as 1,500 businesses and organizations worldwide. Most of them are just small businesses, and some of the victims in New Zealand are schools, which aren't your typical ransomware targets. Now, Kaseya has announced that it has obtained a universal decryptor and will help those "impacted by the incident."

REvil originally demanded a payment of $70 million for a universal decryptor that will unlock the data owned by victims of the July 2nd attack. In mid-July, however, the group suddenly fell off the face of the internet. The critical sites it uses to communicate with victims vanished shortly after President Biden revealed that he talked to Russian President Vladimir Putin about ransomware attacks originating from his country. It's still unclear if the group disappeared from the internet as a result of that talk, of an offensive cyber operation conducted by US authorities or of something else entirely.

In its announcement, Kaseya said it "obtained the tool from a third party" and that it worked with software company Emsisoft to confirm that it can unlock victims' data. It also said that it formed teams to actively help "customers affected by the ransomware to restore their environments" and that its representatives will contact clients who haven't heard from the company yet.

When BleepingComputer asked Kaseya if it paid the ransom to obtain the key, the company replied that it "can't confirm or deny that." The publication also asked the FBI if it was involved in obtaining the decryption key, but the agency refused to comment on an ongoing investigation. That means that key's origin is still a mystery, though we doubt its source matters for the victims that just want to access their locked data.