Kaseya denies paying ransom for decryptor, refuses comment on NDA

The company was initially vague about how the universal decryption tool was obtained.

Software company Kaseya has denied paying a ransom for a universal decryptor after days of lingering questions about how the tool was obtained. 

On July 21, the company announced that a universal decryption tool had been obtained "from a third party". They were working with security company Emsisoft to help victims of the sprawling ransomware attack

On Monday, Kaseya released a statement denying rumors that they paid a ransom to REvil, the ransomware group that launched the attack. REvil initially released a ransom demand of $70 million but reportedly lowered it to $50 million before their entire operation went dark on July 13.

"We are confirming in no uncertain terms that Kaseya did not pay a ransom -- either directly or indirectly through a third party -- to obtain the decryptor," Kaseya's statement said. 

"While each company must make its own decision on whether to pay the ransom, Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack, and we have not wavered from that commitment."

The statement goes on to address reports suggesting that their "continued silence on whether Kaseya paid the ransom may encourage additional ransomware attacks." 

According to the statement, Emsisoft and Kaseya's Incident Response team worked through the weekend, providing the decryptor to some of the 1500 victims affected by the attack, including a major supermarket chain in Sweden, Virginia Tech University and the local government computers in Leonardtown, Maryland

The company said it is encouraging any victims to come forward, adding that the tool "has proven 100% effective at decrypting files that were fully encrypted in the attack."

While hundreds of affected victims welcomed the news of a universal decryptor, some noted that there was a non-disclosure agreement that Kaseya was forcing companies to sign in exchange for the decryptor. 

CNN confirmed that Kaseya required the non-disclosure agreement in order to gain access to the decryptor. Kaseya spokesperson Dana Liedholm and multiple cybersecurity companies involved told ZDNet they were unable to comment on the non-disclosure agreement. 

Former White House Chief Information Officer and cybersecurity expert Theresa Payton said non-disclosure agreements after attacks are more common than one would think but noted that "asking for an NDA from victims is not an everyday, every incident practice." 

"When a cyber incident impacts multiple victims in a supply chain attack, sometimes the legal counsel will ask victims to sign an NDA to ensure that the fix for the problem does not get disclosed publicly," Payton said. 

Payton added that the reasons behind asking for a non-disclosure agreement are not always nefarious and urged companies to consult their lawyers before signing anything. 

"If the reason behind the NDA is to ensure that the 3rd party that provided the key is not disclosed and the manner in which the decryption is made available is not disclosed, then the NDA makes a lot of sense," Payton told ZDNet

"We don't want to tip our hands publicly to the cyber operatives behind any of the ransomware syndicates. We need to keep the nefarious cyber operatives guessing. If the NDA is not for that reason and is instead a legal maneuver to avoid lawsuits, that is disappointing. Given the large impact, it is understandable why their legal counsel might recommend the NDA for legal protections." 

Mark Kedgley, CTO at New Net Technologies, said it was an extremely rare set of circumstances considering Kaseya is both the exploited vendor and the provider of the decryption kit. 

He added that the NDA "will help diminish further analysis and discussion of the attack." 

"While you could see this would be desirable for Kaseya, it won't further the cybersecurity community's understanding of the breach," Kedgley said.