Kaseya recovers data stolen in ransomware attack with mysterious decryption tool

Published at: July 27, 2021

IT software provider, Kaseya, has announced it is providing its clients with a decryption tool to recover customer data that was locked in a ransomware attack earlier this month.

In a July 26 notice on its website, the global technology firm stated it has been assisting its customers with the restoration of their encrypted data in partnership with cybersecurity company Emsisoft.

It has been issuing a mysterious “decryptor” tool enabling customers to access data that had been locked by the malware disseminated in the July 2 attack.

“The decryption tool has proven 100% effective at decrypting files that were fully encrypted in the attack.”

The company has denied paying the $70 million in Bitcoin to the Russian hacker group, REvil — which took responsibility for the attack. Kaseya did not disclose how it came across the decryption software either, stating only that has not paid any ransom to get it.

Kaseya confirmed that, after consultation with experts, it decided not to negotiate with the criminals who perpetrated the attack, stating:

“We are confirming in no uncertain terms that Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor.”

On July 2, the ransomware hacking group REvil brought the networks of at least 200 U.S. companies to their knees by leveraging an unpatched zero-day vulnerability in Kaseya's IT management and automation software (VSA).

Related: Don’t blame crypto for ransomware

The news comes as ransomware is coming under increasing scrutiny from lawmakers.

According to a July 9 Cointelegraph report, Michele Korver’s appointment to the U.S. Financial Crimes Enforcement Network (FinCEN) promises to reduce illicit financial practices within the crypto space. During her previous tenure at the Department of Justice, she developed cryptocurrency seizure and forfeiture policy and legislation.

U.S. senators and politicians have come down hard on the cryptocurrency sector, largely blaming the technological phenomenon for the increase in ransomware attacks. Following the Colonial Pipeline and JBS attacks in May and June, there were calls for a crackdown on cryptocurrency in the U.S. senate after digital assets were dubbed the “ransom payment of choice” for hackers.

Meatpacker JBS paid an $11 million Bitcoin ransom to REvil, while Colonial made a $4.4 million BTC payment to Russia-linked DarkSide.

Tags
Related Posts
Ransomware hackers shut down Argentina’s borders, demand $4M BTC
Government officials in Argentina are refusing to negotiate with a ransomware group that forced them to briefly close all immigration checkpoints on Aug. 27. According to a Sept. 6 report on Bleeping Computer, a group of Netwalker ransomware hackers breached Argentina's immigration agency, Dirección Nacional de Migraciones, on Aug. 27 and initially demanded a $2 million payment to restore its servers. "Your files are encrypted,” stated a ransom note on a Tor payment page sent to the immigration agency. “Only way to decrypt your files is [sic] buy the decrypter program.” The group posted a select batch of sensitive data …
Technology / Sept. 7, 2020
Mac Users Beware — New Ransomware Targets Apple Computers
A new ransomware is targeting macOS users who download installers for popular apps via torrent files. Known as EvilQuest, the attack was first spotted by Dinesh Devadoss, a K7 Lab malware researcher. Findings show that EvilQuest has been quite active since the start of June 2020. Malware lab firms, like Malwarebytes, have found the ransomware attached to pirated macOS software distributed mainly through torrent sites and warez forums. Same BTC address used EvilQuest asks victims to pay a ransom through the same static Bitcoin (BTC) address in every documented attack. One of the first signs that EvilQuest has deployed an …
Technology / July 1, 2020
Colorado Hospital Patient Information System Hit by Crypto Ransomware
Hackers have infected the infrastructure of Parkview Medical Center — the largest health center in Pueblo County, Colorado — with cryptocurrency ransomware. Citing a hospital employee, Fox News reported on April 24 that Meditech — the Parkview Medical Center’s system for storing patient information — was infected with ransomware and rendered inoperable. The hospital confirmed the incident in a statement: “On Tuesday, April 21, Parkview Medical Center was the target of a cyber-incident which has resulted in an outage in a number of our IT systems.” As Cointelegraph recently reported, ransomware attacks against hospitals are ongoing, despite the fall in …
Technology / April 29, 2020
Major Argentine Telecom Falls Victim to $7.5M Monero Ransomware Attack
Telecom, Argentina's largest telecommunications company, has fallen victim to a ransomware attack. Hackers are demanding $7.5 million in Monero (XMR) — an amount that will rise to $15 million if the company does not pay within 48 hours. Argentina's major telephone company, Telecom, just got hacked. Hackers requesting a ransom of $7.5 million in Monero. $XMR pic.twitter.com/AGNvAXh1cg — Alex Krüger (@krugermacro) July 19, 2020 According to El Tribuno, the ransomware attack, which specifically affected Telecom’s call center, took place on July 18. The ransomware was ultimately contained by the Argentinian conglomerate’s IT workers. In a statement issued to local media …
Technology / July 20, 2020
Europe’s Largest Private Hospital Hit by Crypto Ransomware Amid Pandemic
Hackers infected the IT infrastructure of the largest private hospital in Europe with ransomware. Cybersecurity news outlet, KrebsonSecurity, reported on May 6 that hackers compromised the IT systems of Germany-based private hospital, Fresenius. An anonymous source reportedly informed the outlet that the hospital’s systems were infected by the ransomware known as Snake. The ransomware in question was discovered earlier this year, and is being actively used to target large businesses. Fresenius spokesperson, Matt Kuhn, reportedly confirmed to KrebsonSecurity that the hack took place: “I can confirm that Fresenius’ IT security detected a computer virus on company computers. [...] As a …
Technology / May 7, 2020