Should Kaseya pay REvil ransom? Experts are torn

REvil has lowered its demand to $50 million, but some believe Kaseya and other affected companies still should not pay.
Written by Jonathan Greig, Contributor

About 1,500 small to medium-sized companies and 50 MSPs are still struggling to deal with the fallout from the massive ransomware attack launched by REvil last week.

Dozens of small law offices and dental clinics are dealing with ransomware infections while 800 Coop supermarket chain stores in Sweden had to temporarily close after they were unable to open their cash registers.

Kaseya has not said if it is considering paying the ransom but ZDNet reported that the company missed a July 6 deadline they set for relaunching SaaS servers. It planned subsequent configuration changes to improve security, including an on-premises patch.

Also: This major ransomware attack was foiled at the last minute. Here's how 

According to a statement from Kaseya, "an issue was discovered that has blocked the release" of the VSA SaaS rollout. "The R&D and operations teams worked through the night and will continue to work until we have unblocked the release," Kaseya said in a statement, adding that it is working "around the clock to resolve this issue and restore service." 

Operators with REvil initially demanded $70 million for decryption keys but CNBC reported that private negotiators are saying the group is willing to lower their demands to $50 million, despite no changes to the figure on the leak site. 

"It's just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities -- nobody will not cooperate with us," the ransomware group said in a message on its site. 

"Its not in our interests. If you will not cooperate with our service -- for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice -- time is much more valuable than money."

In two of the most recent high profile ransomware attacks on Colonial Pipeline and meat processor JBS, both companies paid millions in ransoms to get their data and systems back online with varying success. Colonial Pipeline paid almost $5 million to DarkSide operators while JBS paid $11 million in Bitcoin to REvil, the same group behind the Kaseya attack. 

While the official government answer is for companies to never pay ransoms, Rep. Eric Swalwell told ZDNet that situations like this are why he believes "Congress, in partnership with the White House and law enforcement, needs to take a coordinated approach to consider questions like this." 

"We can't wait any longer. Every light on the dashboard is flashing. Ransomware attacks are increasing in frequency and threatening to shut down entire sectors of the US economy," Swalwell said. 

"These attacks threaten both the economy and national security. Businesses are outmatched, and criminal organizations are holding them hostage. Ransomware is a threat to any person, business or organization that relies on computers."

Many cybersecurity experts urged Kaseya not to pay the ransom for a variety of reasons. Some said there was no evidence the decryption keys would work while others said payment would only validate the gang's decision to launch such a widespread attack. 

Mat Gangwer, vice president of Sophos Managed Threat Response, explained that he was not aware of any examples of REvil's decryptor not working and said there was no incentive for them to provide one that was unusable. 

"REvil has been quite proud of what they put together and wouldn't want to jeopardize that here," he said.

Bryson Bort, CEO of SCYTHE, said the kind of ransom REvil was demanding was unprecedented. Bort said he thought it was "not on Kaseya to pay the $70 million" and that they would need to "collect money from affected parties for a combined payment." 

"This has never been done before that I'm aware of. No one knows what that process would even look like -- they individually contribute to the same wallet and just trust?" Bort asked.

Also: Best enterprise identity access management software

Ross McKerchar, Sophos vice president and CISO, said that regardless of whether the decryption keys are provided, the recovery effort will still be significant. 

"Impacted organizations use MSPs, to begin with, because they have limited IT resourcing, and these MSPs will be inundated with requests for assistance, restoring backups, and more, and the very tool MSPs use to access customer environments to remediate issues in this particular situation is offline," McKerchar explained.

John McClurg, CISO of BlackBerry, told ZDNet there is no golden rule when it comes to dealing with ransomware attacks. While paying ransoms is publicly discouraged, there are many instances where there may be no other way to recover. 

The financial impact of downed systems, reputational damage and the potential for permanent data loss can be catastrophic for many companies, McClurg said. 

David White, president of Axio, said Kaseya should instead reimburse individual companies for all the associated impacts connected to the attack, including any ransom payments individual companies may make. He argued that this would benefit the people who were hurt rather than the people behind the attack. 

According to White, it may also cost far less than the $70 million or $50 million ransom considering some companies may recover on their own. White added that in the recent case of JBS, the decryption keys worked after it paid a ransom but he cited analysis from Coveware that showed REvil sometimes demands a second payment and sometimes releases data that they promised to destroy. 

CYE CEO Reuven Aronashvili also noted that by paying ransoms, companies get put onto "blacklists" by ransomware gangs that know which companies will be willing to pay up in the event of an attack. 

Aronashvili also disputed White's assessment of the cost of recovering, explaining that $70 million is "definitely lower than the accumulated costs of the different organizations." But even with that, he suggested Kaseya not pay the ransom.  

Allan Liska, a ransomware expert and member of the computer security incident response team at Recorded Future, explained that any ransom paid to REvil will probably be used to buy another exploit for a zero day.

But he said that while Kaseya is feeling the heat for this fiasco, more pressure may be on REvil members, as evidenced by their willingness to drop their ransom demand from $70 million to $50 million. 

"This is a big mess for them that they don't want. They still have a limited staff and we already know that REvil is behind on processing negotiations and publishing to their extortion sites. They're just publishing data to their extortion sites from attacks that happened in the beginning of June," Liska said. 

"They're already overwhelmed with the number of attacks they have. Imagine having 1,500 victims going to your chat services trying to figure out what the ransom is and all this other stuff. It's a mess for them. And you've now got the attention of all these different world governments."

The brazenness of the attack has not gone unnoticed by world leaders, who will now devote significant resources to bringing the group down, Liska said, adding that due to hubris, the people behind REvil will want this to go away as quickly as possible but can't simply hand out decryption keys. 

REvil operators also have to contend with the fact that some MSPs may begin to help clients recover, damaging the group's ability to profit from the attack. 

"So they're going to get horribly bad press and they're going to make very little money. This started off as a very sophisticated operation. You have a zero day vulnerability with a zero day exploit being pushed through MSPs to push down. And then after that, it all looks like a cracker jack operation," Liska said. 

"It all looks like it's amateur hour, so they may need to do something else to save a little bit of face because while the front part of it looks very effective, the aftermath looks like a complete disaster for them." 

For Kaseya, Liska said paying the ransom would only compound the problems they face. In his experience, the decryptor given out to REvil victims has been lackluster and difficult to use. 

"So on top of whatever the ransom cost is, they'd have to pay Mandiant to write a real decryptor that they could distribute to the MSPs who could then distribute it to their clients. A lot of the clients that are hit hardest by this are lawyer shops that maybe have a staff of 10 or 15. They don't have the infrastructure to be able to recover from something like this so they're counting on their MSP to do it," he said. 

"But at the same time, you'd be giving a lot of money to a bad actor who has shown that they will use that money to do even worse things."

None of the MSPs have paid any ransoms but Liska said he has heard reports from other researchers who said some of the end victims have paid. 

But, overall, Liska told ZDNet he believes most people would understand if Kaseya decided against paying the ransom even if it would help a lot of people. Unlike other attacks, victims may be down for about a week or more, Liska added. 

"A lot of it is going to depend on how much access the MSPs have to backups and other things that can help with the restore," Liska said. "It does look like Kaseya is ready to push out the patch in the next couple of days and if that happens then, all of the MSPs are going to be able to bring their VSA back online and really start assessing what the damage is."

Editorial standards