Kaseya Finally Gets Its Decryptor — Three Weeks Late
Kaseya says a "trusted third party" handed it a universal REvil decryption key, three weeks after the ransomware attack locked out roughly 1,000 businesses.
Three weeks is a long time to run a business with your files locked. That’s how long it’s been since the REvil crew hit Kaseya’s VSA software on July 2, and on Friday the company finally announced it had a universal decryption key in hand, courtesy of what it’s calling a “trusted third party.” Roughly 1,000 downstream businesses — mostly small shops that depend on managed service providers running Kaseya’s tools — have been waiting on this.
The phrase “trusted third party” is doing a lot of work here, and Kaseya isn’t elaborating much beyond it. The company is also going out of its way to say it never paid the reported $70 million ransom REvil demanded. If true, that’s notable, because the going theory since day one was that either Kaseya quietly paid up or law enforcement leaned on REvil’s infrastructure. Neither explanation has been confirmed, and a mystery benefactor handing over a master key for free doesn’t quite fit the usual pattern of how these things resolve.
A few ways to read this:
Law enforcement got involved behind the scenes. Given the size and visibility of this attack — it hit an estimated 1,500 organizations worldwide through the MSP supply chain — it wouldn’t be shocking if intelligence agencies had a hand in either compromising REvil’s servers or negotiating something off the books. Whether “trusted third party” is a security researcher, a government agency, or REvil itself getting cold feet under pressure is anyone’s guess right now.
REvil’s infrastructure has gone quiet. Worth noting that REvil’s leak sites and payment portals reportedly went dark earlier this month, right around when this key surfaced. Whether that’s a coincidence, a law enforcement takedown, or the group deciding to lay low after biting off more than it could chew with an attack this visible, we don’t know yet.
The ransom-payment question matters for policy. If Kaseya really didn’t pay, this becomes a case study for the “don’t pay, hold out, wait for a break” camp in the ongoing ransomware policy debate. If it turns out payment did happen somewhere along the chain and just isn’t showing up in Kaseya’s own books, that’s a very different story about what actually works when you’re staring down a supply-chain attack that’s freezing a thousand businesses’ operations at once.
Practically speaking, getting a decryption key is only step one for the affected businesses. Restoring from a key still means validating the tool actually works cleanly across different environments, checking that decrypted data isn’t corrupted, and — probably the more important step people skip — figuring out how REvil got into VSA in the first place and making sure that door is actually shut. Kaseya patched the zero-days it disclosed, but “we have a decryptor now” and “we’ve fully secured our supply chain” are two very different sentences, and only one of them has been said out loud so far.
This whole episode has been a rough advertisement for the managed-service-provider model in general — a single vulnerable vendor cascading into a thousand small businesses is exactly the nightmare scenario the industry has been warning about for years. Expect this one to get cited in a lot of security conference talks for a while.