The Washington PostDemocracy Dies in Darkness

Company hit by massive ransomware attack obtains key to unlock customer files

Kaseya said it obtained the computer key from a ‘trusted third party‘ and that it did not pay a ransom.

(Fred Tanneau/AFP/Getty Images)

The company hit by a massive ransomware attack just before July Fourth weekend said it has obtained a computer key to unlock the files of hundreds of companies.

Kaseya, an information technology company, said it got the universal decryptor key from a “trusted third party” and has validated that it works. Spokeswoman Dana Liedholm said Kaseya received the key Wednesday and has been working with customers to roll it out.

Liedholm initially declined to say whether Kaseya paid a ransom to obtain the key. But Kaseya issued a new statement Monday, confirming it did not pay.

“As such, we are confirming in no uncertain terms that Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor,” it said in an update posted to its website.

The hacking group behind the attack, called REvil, originally demanded $70 million to provide a universal decryptor key. But then the group disappeared online, leaving companies that may have wanted to pay a ransom high and dry.

Kaseya provides a software that allows companies to manage their computer systems, and it supplies that to managed service providers that in turn service tens of thousands of companies. The affected software spread to between 800 and 1,500 companies, Kaseya estimated. Those companies were then unable to access their files. Instead, they were prompted to pay a ransom to get a decryptor key that would return control to them. The ransom demands ranged from $45,000 for smaller companies up to $5 million for larger ones.

The anatomy of a ransomware attack

The attack hit a small town in Maryland, where staffers were unable to use their computers or send out utility bills, and a large grocery store chain in Sweden, which had to temporarily close its hundreds of locations.

The ransomware attack was the latest in a string of high-profile attacks stemming mainly from organized groups of hackers based in Eastern Europe. The frequency and severity of such attacks have increased in the past two years, especially as hackers band together to make the attacks more lucrative.

Hackers made their way into Kaseya’s software by discovering a vulnerability in the company’s software and using that to get into their system. But most ransomware attacks use relatively unsophisticated methods to break into computers, such as sending phishing emails that trick employees into opening an attachment or clicking on a link that downloads malicious software, which goes on to encrypt files and bar access to the whole network.

Some experts conservatively estimate that hackers received $412 million in ransom payments just last year.

A high-profile attack against Colonial Pipeline in May caused panicked fuel-buying and long lines at gas stations. Another attack, against meat supplier JBS, temporarily shut down meat plants across the United States. The company eventually paid hackers $11 million to restore its systems.

Hacking group behind widespread ransomware attacks disappears online