Behind The Kaseya Ransomware Attack: The Actors, Funds, And Aftermath

The U.S. Department of Justice, along with the Federal Bureau of Investigation, on Monday held a press conference in which they announced the arrest of an alleged perpetrator of the July Kaseya ransomware attack, the indictment of a second perpetrator, the recovery of $6.1 million in alleged illicit ransom payments, the support Kaseya provided that made those actions possible, and why the release of the decryptor tool by the FBI was delayed.

In the attack, Kaseya in early July was forced to take all SaaS instances of its VSA remote monitoring and management tool offline following an attack against some on-premise VSA customers.

Ransomware operator REvil, which initiated the cyber attack, a few days later demanded $70 million from Kaseya for a decryptor that could be used to decrypt the ransomware on the 1,000-plus end customers hit by the attack. The FBI eventually was able to access the decryptor tool and enable those customers to recover.

Kaseya eventually said that the REvil attack via its VSA hit 56 of Kaseya’s 37,000 MSP customers and about 1,500 of those MSPs’ end-user clients.

Law enforcement investigations of ransomware attacks are seldom resolved, and so the DOJ and FBI have a right to brag. But at the same time, they gave credit where credit was due, thanking Kaseya for its swift action in bringing the case to the FBI, and thanking international law enforcement partners, particularly in Poland, for their support.

For details on what was learned from the DOJ and FBI this week, and a few questions yet to be answered, click through the slideshow.