Franklin, Andrews, Kramer & Edelstein

[scion]

When Ransomware Group REvil Vanished, Its Victims Were Stranded

By Kartikay Mehrotra
27 July 2021, 11:45 BST
https://www.bloomberg.com/news/newsletters/2021-07-27/when-ransomware-group-revil-vanished-its-victims-were-stranded

Hi, this is Kartikay on the cyber team. Ransomware attacks always hurt—but perhaps never more so than when the victim is compromised through the very company they pay for IT and security services.

That’s what happened to the nearly 1,500 targets attacked through a vulnerability at Kaseya Ltd., an IT management and antivirus software provider. Eastern European hackers compromised Kaseya in early July, and then went on to infect its customers and, in turn, their customers en masse with ransomware made by the REvil hacking group.

The breach was ironic, but typical of the ransomware attacks that have increasingly roiled global business in recent months. Usually, after hackers take control of company networks, those networks are restored only when the company is able to tap its backup servers, or when it pays the hackers for a decryption key.

It was the aftermath of the Kaseya case where things got unusual. Two weeks after the initial attack, the REvil ransomware gang vanished from the internet. It’s still unclear exactly what happened to REvil. They may have been asked to cease operations by Russia at President Joe Biden’s insistence. Or maybe western law enforcement toppled their infrastructure. Or maybe they realized they’d bitten off more than they could chew and decided to lay low.

But while some celebrated the disappearance as a victory against cybercrime, many of REvil’s recent victims were left in purgatory, said John Hammond, senior security researcher at the cybersecurity firm Huntress.

Multiple recent victims, including some compromised in the Kaseya attack, were still waiting for REvil to help them restore access to their networks when the group went offline, Hammond said. They had either paid but were waiting for their decryption key when REvil went missing, or they very much wanted to pay, but by the time they negotiated a price, there was no one on the other end of the line to receive the cash.

“People that were in that unfortunate situation, it just really sucks,” Hammond said. “They reached out to anyone who could help, but it’s tough because they all came up empty handed.”

According to two people familiar with REvil’s targets, at least three victimized companies that were left in the lurch when the group went offline were able to fully restore operations using still-accessible backup files. Six others have partially restored services, said the people, who asked to remain anonymous discussing private information. But many of the rest of the victims—including manufacturers healthcare providers and private schools—were left to frantically reach out to their MSPs, competitors and cyber research firms in what was ultimately a fruitless hunt for a functional decryption key. Unfortunately, landing a key that works on multiple victim networks is extremely rare.

But all was not lost. Last week, about three weeks after the first attack, Kaseya announced that it had obtained a “universal decryptor key”—a tool the company said it has offered to all victims compromised by REvil malware via access to Kaseya. REvil had earlier offered this key for $70 million. On Monday, Kaseya said that it did not pay REvil or any other hacker group a ransom for access to it.

The company says it has since distributed the key widely, including to many of its 54 clients compromised in the attack. Those 54 have since been authorized to share the key with their own clients to connect as many of the nearly 1,500 victims as necessary, said Dana Liedholm, a spokesperson for Kaseya. She could not offer an estimate for the number of victims who have used the decryptor.

While Kaseya's clients may get some relief, the attack underscores deeper vulnerabilities in corporate America and beyond. By hacking an IT firm and cyber defender with special access to clients, bad actors were able to create a mass cyber-casualty event, the effects of which are still playing out. That could provide a blueprint for future, even more dangerous attacks—whether or not the hackers are there to collect. —Kartikay Mehrotra

https://www.bloomberg.com/news/newsletters/2021-07-27/when-ransomware-group-revil-vanished-its-victims-were-stranded