Victims of Russian hackers’ latest ransomware onslaught may soon feel some relief. Kaseya, the IT management software company that Russian hackers popped earlier this month, says it’s obtained a tool that will help victims recover from the attack and unlock their files.
The development is bound to be welcome news for victims of the attack, which is believed to be one of the largest publicly-known ransomware incidents, with thousands of victims around the world. It’s hit schools in New Zealand and forced a Swedish grocery store chain to shut down, among other businesses.
But the whodunnit—or rather, who saved the day—mystery is only just beginning.
Kaseya spokesperson Dana Liedholm in a phone call Tuesday first declined to comment on the source of the tool, only noting that it came from a trusted third party it could not identify due to a confidentiality agreement.
A threat analyst at security firm Emsisoft, Brett Callow, confirmed to The Daily Beast the decryption tool Kaseya had obtained works and should be helpful to victims moving forward.
But new details about the origins of the tool began to percolate Friday. And they could provide clues about whether the U.S. government intervened with the hackers behind the ransomware attack or whether Kaseya paid the ransom.
Kaseya confirmed to The Daily Beast Friday that Emsisoft created the tool, but noted that while “it was created by Emsisoft,” it “is based on the original version we received from the trusted third party,” which Kaseya did not identify.
Emsisoft’s Callow declined to comment on the specifics of the case, but noted that “generally speaking, we have the ability to extract keys from threat actors’ decryptors and put them into our own which are considerably faster and safer.” Charles Carmakal, a senior vice president and chief technology officer at FireEye’s Mandiant investigating the ransomware incident, confirmed to The Daily Beast that Emsisoft created the decryption tool but declined to elaborate on the origins of the tool.
Amidst the secrecy about who this third party is, speculation has been swirling that Kaseya or another victim paid off the hackers’ multi-million dollar ransom demand to obtain the key—the Russian-speaking hackers, known as REvil, locked up Kaseya clients and their customers’ files and demanded they pay between $50-70 million to get them unlocked earlier this month. Kaseya spokesperson Liedholm declined to share whether the company paid up.
Others are banking on hunches that the U.S. government has intervened and seized the hackers’ servers in order to help derive a tool for victims to unlock their files. The tool’s arrival comes just weeks after the Biden administration warned the Kremlin that if it didn’t do anything to rein in the criminal hackers working from within Russia, the U.S. government would step in and take matters into its own hands. Biden suggested the U.S. government could tackle the hackers’ servers as one option. The Kremlin suggested in a statement in recent weeks it was snubbing the Biden administration’s requests to help.
It’s not clear if the U.S. did anything to disrupt the ransomware gang. But the Russian-speaking hackers mysteriously went dark just last week without explanation. (It’s possible the hackers just went offline without disruption following government action—ransomware gangs perennially go dark only to come back online with a new name and brand to avoid law enforcement attention.) Analysis from security firm FireEye at the time suggested it was a planned and concurrent takedown.
Allan Liska, a researcher at cybersecurity firm Recorded Future, says it would be rare for anyone to be able to create a universal decryptor tool for victims without disrupting the hackers and seizing their servers or otherwise gaining access to the keys to help unlock victims’ computers.
“It’s hard to reverse engineer just from the malware” after being attacked,” Liska told The Daily Beast. “But if you seize the servers you have access to their backend infrastructure. The keys are in that backend infrastructure. So if you seize their infrastructure you would be able to get the key.”
The National Security Agency deferred comment to the White House and Kaseya. The FBI, U.S. Cyber Command, and the White House did not immediately return requests for comment.
Whether Kaseya is saying there’s a third party involved to obfuscate if they’ve paid the hefty ransom demand remains to be seen, says Liska.
John Hammond, who has been investigating the ransomware attack, says the fact that Kaseya is keeping mum because of a confidentiality agreement could offer some clues as to the origins of the tool—and offer some hints about whether the U.S. government has intervened and tracked down the REvil hackers or their infrastructure.
“If a universal decryption key is created… it would mean having private keys for every victim, which is absolutely certainly only something REvil would have,” Hammond, a senior security researcher at Huntress Labs, told The Daily Beast. “If REvil is offline and there is suddenly a new universal decryption key that Kaseya has acquired—but is not able to share because of a confidentiality agreement—I have to think that might be a federal entity. They have said we’ve been working with the FBI, we’ve been working with other agencies to uncover and recover from this incident.”
Kaseya declined to tell The Daily Beast if it worked with federal authorities to obtain the decryption tool.
Russia’s Vladimir Putin could have, by now, sucked it up and forced the hackers to pack it in and bleed their hand, says Liska.
“There’s been a lot of speculation that when REvil shut down or retired… it was at the behest of the Kremlin [saying] ‘alright, we’re done with you man.’ Even though the Kremlin themselves says we don’t know anything about it… they could have gotten the key from [REvil] and handed it over through an intermediary to somebody.”
The cavalcade of attention the hacking set off could have spooked the Russian-speaking hackers into submission without intervention from Moscow, says Mike Hamilton, the former vice-chair of the Department of Homeland Security’s State, Local, Tribal and Territorial Government Coordinating Council.
“Maybe the REvil gang leaked it to dial down this manhunt that’s now going on looking for them,” Hamilton, now the CISO of CI Security, a ransomware remediation firm, told The Daily Beast.
For now, some are still waiting to recover from the ransomware incident, says Hamilton, whose client, an unidentified victim, hasn’t yet received the new decryption tool from Kaseya. Kaseya’s spokesperson told The Daily Beast it is helping its customers, namely Managed Service Providers (MSPs), unlock their systems first, which it then expects to share the tool with their customers.
“Those end user customers will get the decryptor through the MSP (our customer) and would need the MSP to provide that technical assistance anyway,” Liedholm told The Daily Beast.
And although the origins of the tool remain under wraps for now, the tool seems to be working, Carmakal says.
“The Emsisoft decryptor is engineered better than most threat actor’s decryptors—it’s faster and more effective,” Carmakal told The Daily Beast.
For victims who have been waiting nearly an entire month for a reprieve, that’s better than nothing.