Kaseya victim struggling with decryption after REvil goes dark

One victim of the Kaseya attack is left with few options for help now that their decryptor is not working and REvil's help desk has vanished.
Written by Jonathan Greig, Contributor

Many victims of the Kaseya ransomware attack are still in the process of recovering but one victim is facing a particularly difficult issue. 

Mike Hamilton, former CISO of Seattle and now CISO of ransomware remediation firm Critical Insight, told ZDNet that a customer, who asked not to be named, was one of the few Kaseya victims to pay a ransom to the REvil ransomware group.

Hamilton explained that the company paid the ransom and received the decryption keys from REvil but have found that they aren't working. REvil typically offers a help desk function that aids victims with getting back their data. 

But REvil made news this week when all of their websites went dark, causing widespread speculation about why they potentially closed shop. 

Now that REvil has shuttered its operation, the company has been left with few options to address their issue, Hamilton said.

"Some of our customers got off really easily. If you had that agent installed on unimportant computers, you just rebuilt them and got back to life. But we got a distress call a few days ago from a company that got hit hard because they had a company that was managing a lot of their servers with the Kaseya VSA. They got a lot of their servers hit and had a lot of information on them and so they brought in their insurance company and decided to pay the ransom," Hamilton said. 

"They got their decryption key and when they started to use it, they found that in some places it worked and in other places it didn't. These ransomware gangs have customer support but all of a sudden they went dark. They're completely gone and so there is no help and these folks are just stuck. They're going to end up losing a lot of data and they're going to end up spending a lot of money to completely rebuild their network from scratch."

ZDNet contacted multiple cybersecurity experts and companies to see whether other Kaseya victims were facing similar issues. But almost all of those contacted said most victims did not pay ransoms and that they have not seen any other company going through an issue similar to this. 

Hamilton said that due to the size of the attack -- estimates say about 1,500 organizations were affected -- there had to be others who paid the ransom but are now struggling to decrypt their files without the help of REvil's support systems. 

Recorded Future ransomware expert Allan Liska theorized that REvil was not expecting all of these single machine infections and was ill-prepared to handle decryptions for each one. 

Following the attack, there was significant discussion online about whether one decryption key would work for all of the Kaseya victims. Experts said it was absolutely possible for REvil to have created separate decryption keys for each victim but the ransomware group eventually came forward to offer Kaseya a universal decryptor for a $70 million ransom

"My guess is [REvil] has shit decryptor key management so they may not know which key to give out to each individual victim. They may have been handing out the wrong keys to the few $45,000 victims who paid," Liska said.

Hitesh Sheth, CEO at Vectra, said his team has seen descriptions of sophisticated customer support channels run by ransomware bandits but noted that REvil's disappearance is more evidence that these groups are "out to make money, not nurse their victims back to strength." 

Hamilton said the situation facing the company unable to get their decryptor working "is the result of a well-intended federal policy that caused a lot of collateral damage." 

While both US authorities and Russian officials have denied any involvement in REvil's disappearance, Hamilton said he believes the gang went dark because of how the conversation about ransomware has changed in the US over the last few months. 

While he does think it's a possibility that the people behind REvil stopped of their own volition, he said it was more likely that Russian government officials put pressure on REvil due to the increased pressure coming from the Biden administration. 

"This particular predicament that a lot of companies find themselves in right now is the result of being collateral damage for our federal policy changes. Who knows? This could have been an intentional act on the way out the door. 'We're going to do this huge thing and then we're going to disappear as a final poke in the eye.' But I'm still going to say that this is the result of our change in policy and how that is affecting Vladimir Putin's conversation with his intelligence people," Hamilton said.  

"It just happened to be timed in such a way that it left a bunch of people high and dry right after this this shotgun blast went out. Other companies that are in this particular predicament right now are probably just going to lose data, and they're going to have to rebuild from scratch, and this may drive some companies out of business."

Editorial standards