Kasia Obtains Ransomware Decryptor to Help VSA Victims

There's some good news for Kasia VSA customers struggling to recover from the Revil ransomware attack earlier this month: The company has found a decryptor to decrypt encrypted data.

The company said on Thursday that it is helping affected customers after receiving a decryption tool from an unnamed third party. Till now he has not received any report of any problem. Kaseya is working with Emsisoft to support customers' efforts, and, it says, Emsisoft has confirmed that the key is effective in unlocking victims' data.

Having a decryptor is a great help for organizations that don't have a good backup of their data or have an awkward backup process. However, it doesn't help with the cost of rebuilding PCs, servers, and networks to ensure that the malware is cleaned up.

Getting decryptors isn't the end of a tough time for Kasia after the on-premises version of the VSA remote IT monitoring suite was infected by Revil ransomware on July 2. It is still unclear exactly how the company was attacked. Most security researchers believe this was through one or more unpublished zero-day vulnerabilities within the product. Once they gained access, the attackers created a fake malicious automatic update called the "Kasia VSA Agent Hot-Fix", which was pushed to VSA servers in Kasia's customers' network. The update disabled Kasia VSA administrative access, allowing the Revil/Sodinokibi ransomware to be distributed, mostly to managed service providers. This in turn was then passed on to their 1,500 customers.

Although it was only the on-premises version of VSA that was affected, Kasya took its cloud version of the software offline as a precaution.

It took until July 12 for Kaseya to update its cloud service and bring it back online, as well as release a patch for the on-premises version. Some functions were disabled in the patch to make customers run more quickly. It was not until 19 July that improvements were released that restored full functionality to VSA.

As far as the Russian-based Ravil Gang is concerned, a ransomware-as-a-service operation with multiple collaborators actually targeting and infiltrating victims, followed by a ransom demand of several million dollars After doing so, its web site disappeared. No one knows whether it has come under pressure from the Russian authorities, or is just temporarily keeping a low profile.