Kaseya, the IT company hit by ransomware in early July, confirmed in a statement that it has obtained a decryption key from a third party.
The decryption key is effective at unlocking files of victims whose data was encrypted in the ransomware attack, the company said, and Kaseya’s teams are actively helping customers restore their environments.
Customers who have been impacted by the ransomware will be contacted by Kaseya representatives.
Erich Kron, security awareness advocate at KnowBe4, said news of the decryptor was positive for the victims of the attack, but noted significant damage was already done by way of downtime and recovery costs. Kron also noted that organizations that had data exfiltrated still have to deal with the impact of a data breach.
“Simply decrypting the data does not resolve issues that remain, such as potentially installed back doors the attackers could use at a later date,” Kron said in a statement. “This means there is still a lot of work ahead.”
SC Media reported that the ransomware was installed July 2 by an affiliate of the REvil group using a chain of vulnerabilities in VSA software, including an authentication bypass and a SQL injection.
The company advised on-premises VSA users to turn off their system. Kaseya quickly turned off its software-as-a-service version as a precautionary measure, despite no known hacking arising from the SaaS product. Kaseya released a patch for on-premises versions of its VSA remote monitoring and management software July 11, and began its rollout of the software-of-a-service version of the tool.
The company stated it believes between 50 and 60 total customers were victims of the REvil outbreak, but with a large MSP client base, Kaseya believes around 1,500 total downstream businesses were ultimately infected.
In another development, it was thought that the REvil group‘s unexplained disappearance from the internet last week meant its victims would not be able to negotiate with the group to access their encrypted data.