Kaseya ‘Likely’ Got Ransomware Decryptor From REvil: Huntress CEO Kyle Hanslovan
‘Since Emsisoft is the one that got it, I think it’s probably more likely that that REvil team or a REvil affiliate leaked it,’ says Huntress CEO Kyle Hanslovan.
Huntress CEO Kyle Hanslovan, who played a pivotal role advocating for MSPs who were hit in the Kaseya ransomware attack, believes the decryptor key Kaseya got its hands on was leaked by a REvil team member or affiliate. Although other scenarios are possible, he said.
Kaseya said it had obtained the universal decryptor key on July 21, 19 days after the devastating REvil ransomware attack, as part of its bid to help nearly 1,500 compromised customers unlocked ransomed files and data.
At that time, Kaseya confirmed that it obtained the tool from a third party and that it was working with anti-malware software provider Emsisoft to help customers recover from the ransomware attack.
CRN reached out to Kaseya but had not heard back at press time.
Earlier this week, Kaseya said it did not negotiate with cyber criminals and pay a ransom to obtain the decryptor. “While each company must make its own decision on whether to pay the ransom, Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack and we have not wavered from that commitment,” Kaseya said in a prepared statement. “Recent reports have suggested that our continued silence on whether Kaseya paid the ransom may encourage additional ransomware attacks, but nothing could be further from our goal.”
CRN spoke with Hanslovan about the risks of using RMM tools going forward, what Kaseya could have done differently in the wake of the attack and why the vendor didn’t make patches when they were notified of vulnerabilities three months prior.