About three weeks Earlier, a ransomware attack against a little-known IT software company called Kaseya struck a full-blown Swedish epidemic, with hackers capturing about 1,500 business computers, including a large Swedish grocery chain. Last week, the infamous group behind the hack disappeared from the internet, leaving victims with no way to pay and free up their systems. But now the situation seems close to finally resolved, thanks to the surprising appearance of the universal decryption tool on Thursday.
July 2 was as bad as the hack. Cassia provides IT management software that is popular among so-called managed service providers (MSPs), which are companies that provide IT infrastructure to companies that do not deal with it. Using a bug in the MSP-centric software software known as Virtual System Administrator, the rinsomware group Revil was able to infect not only those targets but also their clients, resulting in a wave of destruction.
In the intervening week, victims effectively made two choices: to pay a ransom to recover their systems or to recreate what was lost through backups. For many individual businesses, Revel set a ransom of approximately 45 45,000. He tried to remove the પી 5 million MSP. It basically sets the price of a universal decryption at million 70 million. The group later fell to 50 million before being eliminated, possibly lowering during a moment of high stress. When they disappeared, they took their payment portal with them. The victims were trapped, unable to pay even if they wanted to.
Cassia spokeswoman Dana Lidhlm confirmed to Wired that the company had obtained a universal decryption from a “trusted third party”, but did not elaborate on who provided it. “We have a team actively working with affected customers, and as those details become available we will provide more information on how to make the tool available,” Lidhome added in an emailed statement, adding that access to victims has already begun. With the help of antivirus firm Amsisoft.
“We are working closely with Cassia to support their client’s engagement efforts,” Brett Cullo, a threat analyst at MCSoft, said in a statement. “We have confirmed that the key is effective in unlocking the keys and will continue to assist Cassia and its customers.”
The security firm is working more extensively on the solution with Miant Ndient Cassia, but when asked for additional clarification as to who provided the direction key and how many victims still need it, Custers referred Wide to Lidholm.
The ability to free up every encrypted device is undeniably good news. But the number of victims left for help at this time may be a small fraction compared to the initial wave. “The decryption key is probably helpful for some customers, but it’s probably too late,” says Jack Williams, CTO of the security company, Breachquest, which has several customers hit in the revival campaign. That’s because anyone who could rearrange their data through backups, payments or otherwise would probably have done so by now. “Where there’s some unique data on that encrypted system that can’t be structured in any meaningful way are the cases where the most help is needed,” says Williams. “In those cases, we recommend paying those orgs for decryption keys immediately if the data is complicated.”
Many of the Reveal victims were small and medium businesses; As MSP clients, they are the defined types who prefer to outsource their IT requirements – which means they are less likely to easily get reliable backups. Still, there are other ways to recreate the data, even if it means sending what you get to clients and vendors and getting started. “No one would expect a clue,” says Williams.