Kaseya says it didn’t pay ransomware gang for decryption key after hacks affected hundreds

Written by

Kaseya, the company at the center of a ransomware outbreak that claimed perhaps thousands of victims, said on Monday that it didn’t pay off the attackers to obtain the decryption tool it announced last week.

The Florida IT firm, breached just before the July 4 holiday, did not elaborate on how it obtained the working decryption key, beyond its statement that a “trusted third party” provided it.

“While each company must make its own decision on whether to pay the ransom, Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack and we have not wavered from that commitment,” the company said in a website update. “As such, we are confirming in no uncertain terms that Kaseya did not pay a ransom — either directly or indirectly through a third party — to obtain the decryptor.”

Kaseya said it was teaming with the security firm Emsisoft to work with its affected customers to restore their encrypted data, extending the decryption tool to those who request it.

The breach of Kaseya’s VSA software led to ransomware attacks on its managed service provider customers, then customers of those IT service companies as well. In all, the hackers claimed between 800 and 1,500 victims, Kaseya estimated, although some believe the total to be higher. REvil, a ransomware outfit widely suspected to be based in Russia, claimed credit for the disruption.

The Kaseya incident was one of a trio of recent ransomware attacks, alongside incidents at Colonial Pipeline and JBS, to elevate government policymakers’ focus on the epidemic of digital extortion. But the Kaseya cleanup has had some hitches, too.

The decryption key’s arrival comes too late for some victims. And Kaseya has declined to comment on why it was requiring customers to sign non-disclosure agreements in exchange for the decryption key.