back to article Kaseya obtains REvil decryptor, starts sharing it with afflicted customers

Software-for-services providers business Kaseya has obtained a "universal decryptor key" for the REvil ransomware and is delivering it to clients. A brief Thursday update to the company's rolling security advisory states the company received the key on July 21st. "We can confirm that Kaseya obtained the tool from a third …

  1. Anonymous Coward
    Anonymous Coward

    Digicert or Cloudflare or both elReg?

    elReg, is your cert Digicert, Cloudflare or both?

    I notice that when I visited your site, it was secured with Digicert before it was loaded, and after fully loading, it's secured with a Cloudflare certificate. Yet a cloudflare check says you're not using Cloudflare CDN, so just their cert? sni.cloudflaressl.com

    Right?

    There's a loooonnnnnggggg lag during the Digicert redirect.

    1. Throatwarbler Mangrove Silver badge
      FAIL

      Re: Digicert or Cloudflare or both elReg?

      Man, if only this Web site had some kind of contact information. Oh well, guess you'll have to comment on a random article instead.

  2. Lil Endian
    FAIL

    Meanwhile, back to the article itself...

    "...obtained the tool from a third party..."

    Er, lemme have a guess: you paid the ransom, didn't you. DIDN'T YOU! Go on, admit it. Just a wild stab in the dark, which is what you should have.

    If I'm wrong, I'm wrong.

    They really need to stop touting themselves as providers of infosec services.

    1. katrinab Silver badge
      Unhappy

      Re: Meanwhile, back to the article itself...

      If I were to comment on who I would like to stab in the dark, or in any other lighting conditions, I would be prosecuted for inciting violence. So I won't do that.

    2. roddie digital

      Re: Meanwhile, back to the article itself...

      Don't think they could pay the ransom since REvil went dark. I think one of the affected orgs paid for the keys but couldn't get them to work

      1. Michael Wojcik Silver badge

        Re: Meanwhile, back to the article itself...

        There are a number of possibilities. Recall that REvil, before they went dark, said they'd publish the decryption key (for everyone to use) if they got $70M – from anyone. They suggested a third party might want to stump up the cash. They also said they were open to negotiations; general opinion at the time was that they'd settle for considerably less.

        Then they went dark. No one has made a credible public statement about why. They could have decided to close up shop, possibly to sell the business or rebrand with (more or less) the same staff, much as GandCrab seem to have done. They could have been told to shut down or lie low by the Russian authorities – while Russia has no interest in stopping the Russian malware groups, it's useful for them to sow confusion and occasionally appear to be cooperating by messing about with them once in a while.1

        REvil could also have been shut down by another nation-state by various means, or by a private-sector organization – though most of latter would have turned it into a PR opportunity. Or they could themselves have been successfully hacked by hackers of whatever ideological type.

        The decryption key could have been demanded or extracted as part of the REvil shutdown. It could have been paid for by Kaseya, by one of their victims, or by a third party. REvil themselves could have voluntarily handed it over, after deciding the attack had spiraled out of control and it would be better to take the heat off. Remember that the loss to REvil is pretty much entirely in unrealized gains; it's not like they're out-of-pocket on having planted the Kaseya malware. They might have paid some operatives a bit for that up front but usually those payments are mostly done as a portion of the received ransoms.

        REvil have made quite a bit of money already, so giving this one away doesn't greatly diminish their success. Particularly if they sold the business or are planning a rebrand.

        I've read a few analyses of the situation, and thus far I haven't seen any evidence to make me consider one of these explanations particularly more likely.

        1Doing this intermittently also has the advantage of serving as diplomatic random reinforcement, which makes it more difficult for other nations to determine or even think rationally about the optimal diplomatic strategy. (Random reinforcement is a powerful cognitive trap.)

  3. Anonymous Coward
    Anonymous Coward

    Is there single key ?

    ISTR from other ransomware attacks that each hit has a unique decrypt key. Otherwise people would either crowdfund, or some generous soul might just give the keys away ....

    1. Clausewitz 4.0
      Devil

      Re: Is there single key ?

      From a technical perspective, for this amount ($$), the developers can perfectly wrap all keys into a single decryptor, which chooses the correct key for the system it is being used upon.

      1. Nifty Silver badge

        Re: Is there single key ?

        Sounds like fairy dust or the ransomware was very low quality (which would contradict all the news stories we've heard about how professional the ransomware attacks were).

        The idea that a decryptor can hold 'all the keys' is too fancyful. Must be more to the story.

        1. Clausewitz 4.0
          Devil

          Re: Is there single key ?

          QUOTE: "The idea that a decryptor can hold 'all the keys' is too fancyful. Must be more to the story."

          No, its not fancy, it is technically viable and has been done in the past already (I believe I read it somewhere).

          Supposing 4000 systems were infected and each key has 512 bytes in size, it will add 200Kb to the final .EXE size to hold all the keys, plus the extra algorithm part to test each key for 1 file, succeeding, use that key in the rest of the encrypted files.

          1. Michael Wojcik Silver badge

            Re: Is there single key ?

            There are much simpler approaches. One is to encrypt data on each victim machine with a random key, and leave copies of that random key on the victim machine, encrypted with a per-target key and a global key. Then either the per-target key or the global key can be used to decrypt the data on that particular machine.

            The per-target key can be produced by a KDF that takes as input some global secret and some data derivable from the target organization, so the attackers don't have to store the keys.

            That's just as secure, and far more scalable, than having some central database of encryption keys for every system.

            There's a large body of literature on key splitting and key sharing.

    2. osmarks

      Re: Is there single key ?

      I vaguely remember reading that it was designed so that each system had an encryption key for the stuff on it, encrypted (asymmetrically) with a key REvil had somewhere.

  4. Kurgan

    Either they paid or someone visited the REvil HQ with an AK47.

  5. HildyJ Silver badge
    WTF?

    Update

    Kaseya has refused to comment on what it paid to get the key and is making customers sign a non-disclosure agreement before it will give them the key.

    https://gizmodo.com/kaseya-is-making-its-customers-sign-non-disclosure-agre-1847356517

    1. David 132 Silver badge

      Re: Update

      In other words: yes, they paid the Danegeld.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021