The technology provider at the center of a ransomware attack this month said it obtained a tool to unlock data targeted by hackers in an incident that disrupted hundreds of firms in several countries.
Miami-based Kaseya Ltd. on Thursday said it received a universal decryptor that would help restore all the computer systems affected by the July 2 hack of one of its products, which acted as a springboard for hackers to reach New Zealand schools, a Dutch information-technology company and other organizations. The ransomware group behind the attack initially demanded $70 million for such a tool.
Kaseya spokeswoman Dana Liedholm described the source of the decryptor as a trusted third party, declining to elaborate or comment on whether a ransom was paid.
“We are actively and successfully using the tool to help those customers affected by the ransomware,” Ms. Liedholm added.
The attack targeted Kaseya’s virtual system administrator product, which helps clients manage their computer networks. The firm has released a series of updates to the tool over the past 10 days in the hope of mitigating the damage from the hack.
The Biden administration says it is taking an increasingly aggressive approach to ransomware, bolstering cyber standards for federal contractors and disrupting transactions used to launder ransom payments, as well as putting more public pressure on Russia, which it says provides safe harbor to hacking groups. The Kremlin has denied such claims.
Federal Bureau of Investigation Director Christopher Wray told The Wall Street Journal in June that authorities could also help some victims restore their systems without engaging hackers.
“I don’t want to suggest that this is the norm, but there have been instances where we’ve even been able to work with our partners to identify the encryption keys, which then would enable a company to actually unlock their data—even without paying the ransom,” he said.
It is unclear if authorities provided Kaseya with the decryptor Wednesday. A spokesman for the FBI said it is investigating the Kaseya hack but declined to comment further. The National Security Council didn’t immediately respond to a request for comment.
Coming amid a series of hacks that disrupted U.S. infrastructure, the Kaseya incident represented an escalation in ransomware tactics, cyber experts say. Hackers targeted a technology service provider and distributed ransomware among its customers and their respective clients, indiscriminately hacking the digital supply chain.
The initial breach of Kaseya’s product allowed hackers to reach dozens of customers that used it, including other service providers, company officials said. The attackers subsequently used those access points to enter computer networks of as many as 1,500 total victims, straining cybersecurity specialists who have responded to a surge in ransomware this year.
“For almost three weeks now, managed service providers and small-to-medium [sized] businesses have been working overtime to recover and restore systems,” said John Hammond, senior security researcher at cyber firm Huntress Labs Inc., which has been investigating the attack.
Kaseya got hold of the decryptor more than a week after a prolific criminal group suspected of the hack, known as REvil, went dark. The disappearance puzzled cybersecurity experts and left victims who had been negotiating with the group—not limited to Kaseya-related victims—in a lurch.
Ransom negotiators from the cyber firm GroupSense had been in talks with REvil on behalf of a hacked law firm on July 13 when they noticed its infrastructure to be unresponsive, Chief Executive Kurtis Minder said. REvil’s sites to chat with victims and “Happy Blog,” where it publicized stolen data, were down, he said.
The law firm, which wasn’t a Kaseya-related victim and which Mr. Minder declined to name, had hoped to pay REvil for a decryption key in lieu of proper backups of its data, he said. Mr. Minder and other cyber specialists working with such victims are now left wondering if the decryption key obtained by Kaseya will also work for them.
Decryptors don’t necessarily restore companies’ data as fast or comprehensively as victims would like, cyber experts say. But the Kaseya tool could help other companies that have been affected by REvil attacks, said Mike Hamilton, chief information security officer at Critical Insight Inc., a firm that is working with the gang’s victims.
“If the key is indeed universal,” he said Thursday, “we’d sure like a copy.”
—James Rundle and Dustin Volz contributed to this article.
Write to David Uberti at [email protected]
Copyright ©2021 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8