On Thursday, the software company Kaseya announced that it could help unlock any of its customers’ systems that were still inaccessible following a devastating ransomware attack early this month that took down as many as 1,500 businesses worldwide. But for many victims it was too little, too late.
Kaseya had obtained a decryption key, the company said, that could release any file still locked down by malicious software produced by the criminal gang REvil, which is believed to operate from Eastern Europe or Russia.
For the organizations whose systems were still offline three weeks after the attack, the newfound availability of a decryptor tool offered a sign of hope, especially after REvil mysteriously disappeared from the internet and left many organizations unable to contact the group.
But for many others that have already recovered without Kaseya’s help, either by paying off the ransomware gang weeks ago or by painstakingly restoring from backups, the announcement was no help – and opens a new chapter of scrutiny for Kaseya as it declines to answer questions about how it obtained the key and whether it paid the $70 million ransom demand or another amount.
“This would have been really nice to have three weeks ago; we’ve put in over 2,000 recovery hours now,” said Joshua Justice, the CEO of IT provider Just Tech which worked around the clock for the better part of two weeks to get more than 100 clients’ systems working again from the backups Just Tech maintains. “Of course our clients couldn’t expect us to sit around.”
Justice confirmed that the tool Kaseya has made widely available has worked for him. Kaseya spokesperson Dana Liedholm told CNN in a statement Friday that “fewer than 24 hours” elapsed between when it obtained the tool and when it announced its existence, and that it is providing the decryption key to the tech support firms that are its customers — which in turn will use the tool to unlock the computers of countless restaurants, accounting offices and dental practices affected by the hack.
In order to access the tool, Kaseya is requiring that businesses sign a non-disclosure agreement, according to several cybersecurity experts working with affected companies. While such agreements are not unusual in the industry, they could make it more difficult to understand what happened in the incident’s aftermath. Kaseya declined to comment on the non-disclosure agreements.
Some businesses hit by REvil’s malware are frustrated with Kaseya’s rollout of the tool weeks after the initial attack, according to Andrew Kaiser, VP of sales for the cybersecurity firm Huntress Labs, which works with three tech support firms affected by the hack.
“I talked with a service provider yesterday,” Kaiser told CNN, “who said, ‘Hey listen, we’re a 10-to-20-person company. We’ve spent over 2,500 man-hours restoring from this across our business. If we had known there was the potential to get this decryptor a week or 10 days ago, we would have made very different decisions. Now, we’re down to only 10 or 20 systems that could benefit from this.”
Most firms in the same position have chosen to eat the costs of recovery rather than pass them along to customers, Kaiser said, meaning they may have wasted labor, time and money performing self-recovery in a crisis.
Even though some companies successfully recovered from the attack on their own, many others have struggled for weeks to no avail. The problem was compounded when REvil’s websites vanished, making it impossible to contact the group to make ransom payments or seek technical assistance. The group’s unexplained disappearance led to widespread speculation that the US or Russian government may have gotten involved, though neither country has claimed credit. US officials have declined to comment, and a spokesman for the Kremlin has denied any knowledge of the matter.
The cybersecurity firm GroupSense had been working with two organizations, a small-to-midsized private school and a law firm, which were left holding the bag when they could no longer communicate with REvil.
“We were in active negotiations with REvil when they went offline,” GroupSense’s director of intelligence, Bryce Webster-Jacobsen, told CNN earlier this week. “Immediately, what we got from the victims we were working with was, ‘Wait, hang on, what do you mean these guys are offline? What does that mean for us?’”
Other victims had already paid a ransom to REvil. One such organization had been struggling to operate the key it obtained from the group, said Critical Insight, a cybersecurity firm the victim hired to help. But with REvil’s sudden disappearance, the victim was stranded, according to Mike Hamilton, Critical Insights’s co-founder. The victim, which declined to be named and had no reliable backups, was dreading having to return to its customers asking for new copies of all the data it needed to complete its projects.
Kaseya’s announcement this week will likely mean the eventual restoration of these victims’ data. But that doesn’t change the resources they had to spend, and the gut-wrenching decisions they had to make, during the long stretch of time between when the attack occurred and when Kaseya announced a decryptor that the victims did not know was a possibility.
“An extra three, four, five days could be the difference between a business continuing to operate and them saying, ‘We can’t move forward,’” said Kaiser.
Conundrum for Biden administration
That kind of conundrum has factored into the Biden administration’s thinking as law enforcement and intelligence officials have explored taking ransomware groups offline, people familiar with the discussions said. The National Security Council in particular has been studying how to avoid indirectly hurting victims who may be unable to get their data back if the criminal groups are taken down or disappear.
The administration has increasingly moved to disrupt ransomware networks, track ransom payments and build an international coalition against cybercrime. But officials have steadfastly declined to say whether the US government played a role in REvil’s disappearance. The group, which is also accused of carrying out the recent ransomware attack on meat supplier JBS Foods, went offline soon after a senior administration official vowed that US authorities would take action against ransomware groups “in the days and weeks ahead.”
Basic cybersecurity hygiene is the best way for companies to inoculate themselves against ransomware, an NSC spokesperson told CNN. But for victims, the administration is considering how its developing ransomware strategy may affect them, the spokesperson said.
As more organizations take up Kaseya’s offer of a decryptor, it’s possible more will come to light about how the company came by the tool, Kaiser said.
Until then, cybersecurity experts have been left guessing as to what may have occurred. Multiple experts agreed that the theories largely fall into a few main buckets.
It is technically possible, but unlikely, that Kaseya or one of its partners managed to reverse-engineer the tool from the ransomware, said Drew Schmitt, principal threat intelligence analyst at GuidePoint Security. Groups like REvil tend not to leave vulnerabilities in their code that can be exploited, he added.
A more plausible theory, he said, is that Kaseya received help from law enforcement officials. If REvil’s disappearance was in fact the result of a government-led operation, the authorities may have seized a decryptor they could use to help Kaseya, several cybersecurity experts said.
It is also possible that REvil itself could have handed over the decryptor, either voluntarily or under pressure from US or Russian authorities, said Kyle Hanslovan, CEO of Huntress Labs.
But the likeliest scenario is also the simplest one, Schmitt said: That Kaseya or someone acting on its behalf paid the ransom.
That raises further questions that Kaseya has not answered: Did the company pay a ransom? If so, when? If the company communicated with REvil after it disappeared, how did it communicate?
“There are a lot of scenarios that could’ve occurred, but we don’t have much information to say one way or another,” said Schmitt, who added that information about Kaseya’s response to the attack “could serve as a case study for future situations moving forward.”