But the Key Appears to Only Unlock Files Encrypted in the Kaseya Attack
There’s yet another twist in the saga around REvil, the prolific but now-defunct ransomware group.
Security analysts are testing a decryption key linked to by a user on the Russian-language cybercrime forum XSS on Friday. Experts say the key decrypts REvil’s ransomware used in the attack on July 2 against Miami-based software developer Kaseya.
Kaseya develops remote monitoring and management software that’s used by managed service providers. In late July, Kaseya acquired a decryptor from a source that would unlock files encrypted by the REvil attack.
Kaseya did not disclose the source for the key and said it did not pay a ransom. It initially expressed in a now-edited blog post that the acquisition came “unexpectedly” (see Kaseya Obtains Decryption Tool After REvil Ransomware Hit).
It’s unclear if what was released on Friday is what Kaseya has been distributing to victims under a nondisclosure agreement. A Kaseya spokesperson said late Tuesday that the company has no comment.
It’s possible that one of the recipients of that key who was under a NDA posted it on XSS in order to try to avoid legal repercussions.