Contents:
Earlier this month REvil ransomware operation launched a massive attack by exploiting a zero-day vulnerability in Kaseya VSA remote management application and encrypting about sixty managed service providers and an estimated of 1,500 businesses.
After the attack took place, the threat actors asked $70 million in order to provide a universal decryptor.
The situation is extremely interesting as soon after, the REvil ransomware gang mysteriously disappeared, as the threat actors shut down payment sites and infrastructure as well.
The gang’s disappearance made for the companies who would have needed to purchase a decryptor for their data unable to do so.
Kaseya stated that they obtained a universal decryptor for the ransomware attack from a “trusted third party” and now are distributing it to the affected customers.
We can confirm we obtained a decryptor from a trusted third party but can’t share anymore about the source.
We had the tool validated by an additional third party and have begun releasing it to our customers affected.
It is unknown who was the one that gave the Kaseya decryptor, but Kaseya confirmed with BleepingComputer that it is the universal decryption key for the entire attack, thus allowing all MSPs and their customers to decrypt the files for free.
From the information we have so far, Kaseya did not confirm or deny that it paid for the decryption key.
Fabian Wosar, the Emsisoft CTO, declared for BleepingComputer the fact they were the third party that validated the key and will continue to aid Kaseya in their recovery efforts.
We are working with Kaseya to support their customer engagement efforts. We have confirmed the key is effective at unlocking victims and will continue to provide support to Kaseya and its customers.
Why Did REvil Shut Down?
At this time, it is unclear what made the REvil ransomware operation shut down and go into hiding as multiple international law enforcement agencies have declared that they were not involved in their disappearance.
The attacks that involved JBS and Kaseya made the White House pressure the Russian government to take measures about the ransomware gangs that were believed to be operating from Russia, and it is possible for the Russian government to have told the REvil ransomware gang to shut down and disappear.
The journalists from BleepingComputer asked the FBI in regards to a possible involvement in the procurement of the Kaseya decryption key, but the FBI denied any involvement.
The DOJ and FBI have an ongoing criminal investigation into the criminal enterprise behind the REvil/Sodinokibi ransomware variant and the actors responsible for the Kaseya ransomware attack specifically.
Per DOJ policy, we cannot comment further on this ongoing investigation.
REvil is not the first operation to shut down in order to reappear under another identity, just as previously GandCrab ransomware operation shut down and rebranded as REvil.