Kaseya obtains REvil decryptor, starts sharing it with afflicted customers Software-for-services providers business Kaseya has obtained a "universal decryptor key" for the REvil ransomware and is delivering it to clients. A brief Thursday update to the company's rolling security advisory states the company received the key on July 21st. "We can confirm that Kaseya obtained the tool from a third …
elReg, is your cert Digicert, Cloudflare or both?
I notice that when I visited your site, it was secured with Digicert before it was loaded, and after fully loading, it's secured with a Cloudflare certificate. Yet a cloudflare check says you're not using Cloudflare CDN, so just their cert? sni.cloudflaressl.com
Right?
There's a loooonnnnnggggg lag during the Digicert redirect.
"...obtained the tool from a third party..."
Er, lemme have a guess: you paid the ransom, didn't you. DIDN'T YOU! Go on, admit it. Just a wild stab in the dark, which is what you should have.
If I'm wrong, I'm wrong.
They really need to stop touting themselves as providers of infosec services.
There are a number of possibilities. Recall that REvil, before they went dark, said they'd publish the decryption key (for everyone to use) if they got $70M – from anyone. They suggested a third party might want to stump up the cash. They also said they were open to negotiations; general opinion at the time was that they'd settle for considerably less.
Then they went dark. No one has made a credible public statement about why. They could have decided to close up shop, possibly to sell the business or rebrand with (more or less) the same staff, much as GandCrab seem to have done. They could have been told to shut down or lie low by the Russian authorities – while Russia has no interest in stopping the Russian malware groups, it's useful for them to sow confusion and occasionally appear to be cooperating by messing about with them once in a while.1
REvil could also have been shut down by another nation-state by various means, or by a private-sector organization – though most of latter would have turned it into a PR opportunity. Or they could themselves have been successfully hacked by hackers of whatever ideological type.
The decryption key could have been demanded or extracted as part of the REvil shutdown. It could have been paid for by Kaseya, by one of their victims, or by a third party. REvil themselves could have voluntarily handed it over, after deciding the attack had spiraled out of control and it would be better to take the heat off. Remember that the loss to REvil is pretty much entirely in unrealized gains; it's not like they're out-of-pocket on having planted the Kaseya malware. They might have paid some operatives a bit for that up front but usually those payments are mostly done as a portion of the received ransoms.
REvil have made quite a bit of money already, so giving this one away doesn't greatly diminish their success. Particularly if they sold the business or are planning a rebrand.
I've read a few analyses of the situation, and thus far I haven't seen any evidence to make me consider one of these explanations particularly more likely.
1Doing this intermittently also has the advantage of serving as diplomatic random reinforcement, which makes it more difficult for other nations to determine or even think rationally about the optimal diplomatic strategy. (Random reinforcement is a powerful cognitive trap.)
Sounds like fairy dust or the ransomware was very low quality (which would contradict all the news stories we've heard about how professional the ransomware attacks were).
The idea that a decryptor can hold 'all the keys' is too fancyful. Must be more to the story.
QUOTE: "The idea that a decryptor can hold 'all the keys' is too fancyful. Must be more to the story."
No, its not fancy, it is technically viable and has been done in the past already (I believe I read it somewhere).
Supposing 4000 systems were infected and each key has 512 bytes in size, it will add 200Kb to the final .EXE size to hold all the keys, plus the extra algorithm part to test each key for 1 file, succeeding, use that key in the rest of the encrypted files.
There are much simpler approaches. One is to encrypt data on each victim machine with a random key, and leave copies of that random key on the victim machine, encrypted with a per-target key and a global key. Then either the per-target key or the global key can be used to decrypt the data on that particular machine.
The per-target key can be produced by a KDF that takes as input some global secret and some data derivable from the target organization, so the attackers don't have to store the keys.
That's just as secure, and far more scalable, than having some central database of encryption keys for every system.
There's a large body of literature on key splitting and key sharing.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
