CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



Kaseya Obtains Universal Decryptor for Ransomware Attack Victims

IT management software maker Kaseya on Thursday said it obtained a universal decryptor that should allow victims of the recent ransomware attack to recover their files.

IT management software maker Kaseya on Thursday said it obtained a universal decryptor that should allow victims of the recent ransomware attack to recover their files.

In early July, cybercriminals exploited vulnerabilities in a Kaseya product to deliver ransomware to MSPs who had been using that product, as well as to the customers of those MSPs. The company estimated that between 800 and 1,500 organizations received the ransomware, although some experts believe the actual number could be higher.

Tha attackers delivered the REvil ransomware, which encrypted files on compromised systems and asked victims to pay a ransom to recover them. However, victims that have not already paid up will now get help from Kaseya, after the company obtained a “universal decryptor key.”

“We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor,” Kaseya said.

It’s unclear how Kaseya got the decryptor, but the company said it was obtained from a “trusted third party.” Cybersecurity company Emsisoft verified the decryptor and confirmed that it works properly, Kaseya said.

It’s worth noting that the attackers also offered a universal decryptor that could allegedly be used to recover all encrypted files. They initially asked for $70 million for the universal decryptor, but some reports said the amount was later brought down to $50 million.

The Tor-based website used by the REvil ransomware gang to name victims and leak stolen data went offline roughly ten days after the attack on Kaseya, and it’s currently still down.

Due to the fact that the ransomware was delivered to victims via Kaseya software and it immediately started encrypting their data, the cybercriminals did not get a chance to steal information from compromised systems, as they did in past attacks. In addition, the ransomware in many cases failed to delete backups before encrypting files, which has apparently led to a majority of victims not paying the ransom demanded by the hackers.

Advertisement. Scroll to continue reading.

After some delays, Kaseya released patches for the vulnerabilities exploited in the attack. The company had been aware of at least some of the flaws, but failed to patch them before the attack was launched.

While it has been described as one of the worst ransomware attacks ever, Kaseya has attempted to downplay the incident. It also came to light that this wasn’t the first time the company was targeted by hackers, and some claimed that in some cases the company did not treat cybersecurity issues as seriously as it should have.

Related: Continuous Updates: Everything You Need to Know About the Kaseya Ransomware Attack

Related: Emails Offering Kaseya Patches Deliver Malware

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.