Kaseya is a network security company that developed a software decryption key that was supposed to be used by their clients to encrypt their data in their Kaseya software. The program was initially built for use in the United States, but after the 9/11 attacks, it was found useful by many organizations worldwide including the Russian government to protect sensitive information. The encryption key was developed to allow Kaseya to decrypt their own software, so it was never made available to the general public.
According to a forum post on the hacking web site DC.ru, a customer with access to Kaseya’s global decryption key has leaked the key to a tool that can crack the authentication token used by all of Kaseya’s products, including its flagship product, Kaseya Central. The decryption key can be used to decrypt any data protected by Kaseya’s products.
The global REvil decryptor key used by Kaseya has recently been published on a Russian hacker site. Ekranoplan, a user on Reddit, shared an image of what seems to be a global decryptor for REvil-infected files. The article was also tweeted about by pancak3, a security researcher.
The REvil ransomware group targeted Kaseya’s VSA supply chain on July 2, effectively encrypting over 1500 companies utilizing Kaseya services. Kasyea responded by shutting down their SaaS servers and working on a fix right away.
REvil later sought a whopping $70 million in ransom for a universal decryptor capable of unlocking the attack’s encrypted data in under one hour.
According to CNN, the company announced on July 22 that it had received a universal decryption key from an unnamed “trusted third-party” and had begun distributing it to affected customers, albeit with a non-disclosure agreement, which explains why the key was kept out of the hands of researchers until now.
Although the source of the encryptor is unclear, it is thought that Russian intelligence acquired it from REvil and gave it to US officials as a show of goodwill.
Samsung unveiled the Exynos W920, the industry’s smallest wearable chip.
The situation wasn’t looking good for them after REvil’s unexplained departure and Kaseya’s continued struggle to address the issue. This new decryptor, on the other hand, seems to have spared the business a lot of problems.
On the hacker forum, a screenshot of the decryptor was uploaded.
However, it’s obvious from the screenshot that this decryptor is just for files related to the Kaseya assault, not a master operator key for all REvil operations. Emsisoft CTA and ransomware specialist Fabian Wosar both verified this.
79CD20FCE73EE1B81A433812C156281A04C92255E0D708BB9F0B1F1CB9130635 is the REvil hardcoded operator public key. F7F020C8BBD612F8966EFB9AC91DA4D10D78D1EF4B649E61C2B9ADA3FCC2C853 is the public key generated by the leaked key. As a result, the key that has been disclosed is not the operator’s private key.
August 11, 2021 — Fabian Wosar (@fwosar)
Flashpoint, another security company, verified that they could recover data encrypted by the REvil ransomware assault. Why the key was released on a hacker forum is still unknown. According to BleepingComputer, though, the poster is more likely to be associated with REvil than a victim.
Regardless, this is the first opportunity for independent researchers and others untouched by the whole REvil-Kaseya saga to examine Kasyea’s universal decryptor. The image was uploaded to a Github repository, which you may access here.
In the news: An unofficial fix for the Windows PetitPotam vulnerability has been released.
When he’s not writing/editing/shooting/hosting all things tech, he streams himself racing virtual automobiles. Yadullah may be reached at [email protected], or you can follow him on Instagram or Twitter.
This article broadly covered the following related topics:
- who was the first hacker
- history of hacking
- famous hacks
- biggest hacks of all time
- first cyber attack in history