Reply to post: Re: Meanwhile, back to the article itself...

Kaseya obtains REvil decryptor, starts sharing it with afflicted customers

Michael Wojcik Silver badge

Re: Meanwhile, back to the article itself...

There are a number of possibilities. Recall that REvil, before they went dark, said they'd publish the decryption key (for everyone to use) if they got $70M – from anyone. They suggested a third party might want to stump up the cash. They also said they were open to negotiations; general opinion at the time was that they'd settle for considerably less.

Then they went dark. No one has made a credible public statement about why. They could have decided to close up shop, possibly to sell the business or rebrand with (more or less) the same staff, much as GandCrab seem to have done. They could have been told to shut down or lie low by the Russian authorities – while Russia has no interest in stopping the Russian malware groups, it's useful for them to sow confusion and occasionally appear to be cooperating by messing about with them once in a while.1

REvil could also have been shut down by another nation-state by various means, or by a private-sector organization – though most of latter would have turned it into a PR opportunity. Or they could themselves have been successfully hacked by hackers of whatever ideological type.

The decryption key could have been demanded or extracted as part of the REvil shutdown. It could have been paid for by Kaseya, by one of their victims, or by a third party. REvil themselves could have voluntarily handed it over, after deciding the attack had spiraled out of control and it would be better to take the heat off. Remember that the loss to REvil is pretty much entirely in unrealized gains; it's not like they're out-of-pocket on having planted the Kaseya malware. They might have paid some operatives a bit for that up front but usually those payments are mostly done as a portion of the received ransoms.

REvil have made quite a bit of money already, so giving this one away doesn't greatly diminish their success. Particularly if they sold the business or are planning a rebrand.

I've read a few analyses of the situation, and thus far I haven't seen any evidence to make me consider one of these explanations particularly more likely.

1Doing this intermittently also has the advantage of serving as diplomatic random reinforcement, which makes it more difficult for other nations to determine or even think rationally about the optimal diplomatic strategy. (Random reinforcement is a powerful cognitive trap.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon