- Kaseya and its clients were the victims of a ransomware attack in early July.
- The company obtained a decryptor key and shared it with clients.
- It still hasn’t said how it got the tool.
On July 2, IT software provider Kaseya was crippled by an attack attributed to Russia-based hacking group REvil. The ransomware compromised the software and removed the clients’ administrator access. REvil demanded $70 million in to restore normal operations.
Last week, it announced it had received the decryptor key to undo the attack, which affected hundreds of businesses that use Kaseya software worldwide. But it declined to say how—beyond that it had come from a “trusted third party,” leading to speculation that it had paid the $70 million ransom.
Not so, said Kaseya on Monday. “We are confirming in no uncertain terms that Kaseya did not pay a ransom—either directly or indirectly through a third party—to obtain the decryptor,” it said in an update on its website.
Others have paid such ransoms, despite warnings last year from the Treasury Department that paying hackers could be a violation of US sanctions against specific foreign actors.
Meatpacker JBS USA paid an $11 million Bitcoin ransom to REvil in June that threatened one-quarter of the country’s meat supply. A month prior, Colonial Pipeline paid a $4.4 million BTC payment to Russia-linked DarkSide, though it ostensibly did so after consulting with the Justice Department; federal law enforcement was able to recover some of the funds.
“While each company must make its own decision on whether to pay the ransom, Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack and we have not wavered from that commitment,” Kaseya wrote.
“Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack…”
That denial gives added weight to competing theories suggesting that Kaseya received the decryption tool via government backchannels. President Joe Biden has threatened Russia President Vladimir Putin with “consequences” should Russia choose not to act on ransomware attacks that take place within its borders. The U.S. has promised to share intelligence with Russia on the matter. REvil subsequently disappeared from the dark web.
Ransomware payments had cost companies this year the equivalent of $81 million, as of mid-May, according to blockchain tracking firm Chainalysis. That doesn’t account for the costs of network outages or working independently to restore service.