Someone has leaked the master decryption key that Kaseya used to unlock the files encrypted by a REvil ransomware attack on the company that affected customers across 22 countries last month.
However, while the key may be interesting to security researchers, it’s not likely to be of use to any of the other companies REvil hit in the spate of attacks that occurred on July 2.
A security researcher who goes by the handle @Pancak3 on Twitter found what was purported to be the key on a hacking forum and tweeted about it, posting a screenshot to the key on Twitter and also GitHub.
While it was first thought that the key could unlock all of the REvil attacks that occurred at the same time as the Kaseya one, it soon became clear to researchers that the decryptor – which appeared to some to be genuine – was only for the files locked in the Kaseya attack.
“Initial tests indicate this might be legit but do not cite me you’ll need own verification,” tweeted @SOS, or SwiftonSecurity, a systems security researcher who writes the Decent Security blog.
Oregon-based ethical hacker @Jeff McJunkin also tweeted that the master decryption key appears legitimate. “If you were affected, it’s definitely worth taking a look (in an isolated lab environment at first, naturally),” he wrote on Twitter.
Researchers at Flashpoint said they patched the decryptor binary with the annotated key from the thread and successfully decrypted a sandbox infected with the new REvil test sample “upon changing the file extensions to “universal_tool_xxx_yyy” as seen in the screenshot,” according to a blog post published Tuesday.
“The files were properly decrypted once the file extensions were renamed,” researchers reported.
Kaseya was one of the victims attacked in a global ransomware spree REvil went on July 2 not long before the group disappeared. The attacks on Kaseya exploited now-patched zero-days in the Kaseya Virtual System/Server Administrator (VSA) platform and affected 60 customers using the on-premises version of the platform.
Many of those hit were managed service providers (MSPs) that use VSA to manage the networks of other businesses. In addition to the direct customers, about 1,500 downstream customers of those MSPs were also affected.
Late on July 22, Kaseya said it had obtained the master decryptor “through a third party,” making it unclear if the company paid the $70 million in ransom REvil demanded for the attack. The company worked with security firm Emsisoft to help customers affected by the attack; the key was used to unlock systems that REvil had encrypted.
Key Limited to Kaseya Attack
Though Emsisoft would not comment at the time about its work to help Kaseya customers decrypt their files after the REvil attack, CTO Fabian Wosar did step forward on Twitter Tuesday to verify that the Kaseya master key published on the dark web was not for all the REvil attacks that happened concurrently.
“The REvil hardcoded operator public key is 79CD20FCE73EE1B81A433812C156281A04C92255E0D708BB9F0B1F1CB9130635,” Wosar, who also is a ransomware expert, tweeted. “The leaked key generates public key F7F020C8BBD612F8966EFB9AC91DA4D10D78D1EF4B649E61C2B9ADA3FCC2C853. Therefore, the leaked key is not the operator private key.”
At this point it’s still unclear how the key made its way to an online forum, although some on Twitter are speculating that one of Kaseya’s customers who used the key may be responsible.
“My bet is it’s a [SIC] NDA violation that someone is trying to divert attention from,” tweeted security reporter Jeremy Kirk of Information Security Media Group. “Doesn’t look like the key is going to be that useful to anyone at this point, though.”
He may be right, as some have reported on Twitter that the key did not perform as expected in tests they are running to prove its legitimacy.
One of the reasons this failure occurred could be because the decryption key posted by @Pancak3 is actually out of date, according to another researcher.
“Kindly note that REvil decrypter version 2.1 / 2.2 was used from more than a year ago,” tweeted offensive security researcher Ahmed Mohamed. “But the version on that screenshot is 2.0. So we can’t guarantee it will be work, but you can try.”
Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.