Journalists of The Washington Post found out how the FBI obtained the key to decrypt the data, which was affected in the attacks of the REvil ransomware.
First, should be recalled that the background of what is happening: last week Bitdefender published a universal utility for decrypting files affected by the attacks of the ransomware REvil (Sodinokibi). The tool works for any data encrypted before July 13, 2021.
At the time, experts reported that the tool was created in collaboration with “trusted law enforcement partners,” but the company declined to disclose any details, citing an ongoing investigation. According to people familiar with the matter, the partner was not the FBI.
July 13 is mentioned above for a reason, as on this day the entire REvil infrastructure went offline without explanation. The hacker group completely “disappeared from the radar” for a while, and as a result, many companies were left without the ability to recover their data, even if they were willing to pay the hackers a ransom.
It is important that not long before this, in early July 2021, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. As a result, the cybercriminals deployed the ransomware in thousands of corporate networks, and law enforcement agencies and authorities became very interested in hackers.
Then, when the group had already “disappeared”, representatives of the injured Kaseya unexpectedly announced that they had a universal key to decrypt customer data. Then the company refused to disclose where this tool came from, limiting itself to a vague “from a trusted third party.”
However, the company assured that it is universal and suitable for all affected MSPs and their clients. Moreover, before sharing the tool with clients, Kaseya required them to sign a non-disclosure agreement.
As the Washington Post now reports, the assumptions of many cybersecurity experts were correct: Kaseya really received the key from the FBI representatives. Law enforcement officials say they infiltrated the servers of the hack group and extracted a key from there, which ultimately helped to decrypt data and 1,500 networks, including in hospitals, schools and enterprises.
However, the FBI did not immediately share the key with the victims and the company. For about three weeks, the FBI kept the key secret, intending to carry out an operation to eliminate the hack group and not wanting to reveal their cards to the criminals. But the law enforcement officers did not have time: as a result, the REvil infrastructure went offline before the operation began. Then Kaseya was given the key to decrypt the data, and Emsisoft experts prepared a special tool for the victims.
Journalists note that due to the resulting delay, it was already too late for many of the victims. For example, the publication quotes a representative of JustTech, which is one of the clients of MSP Kaseya.
The company spent more than a month restoring the systems of its customers, as restoring from backups or replacing the system is an expensive and time-consuming process:
Swedish grocery chain Coop, also affected by the attack, said it still does not know how much it would cost to temporarily close its stores: