Kaseya denies paying hackers for decryption key after ransomware attack

Software company Kaseya on Monday strongly denied paying to get access to a key to decrypt its systems following a massive ransomware attack on the company that impacted up to 1,500 organizations earlier this month.

The denial came days after a spokesperson for Kaseya told The Hill it had obtained a decryption key for its systems and those of customers from a “trusted third party,” but did not comment on which third party that was and whether it had paid a ransom.

“While each company must make its own decision on whether to pay the ransom, Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack and we have not wavered from that commitment,” the company wrote in a statement released Monday. “As such, we are confirming in no uncertain terms that Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor.”

The company was hit by a ransomware attack ahead of the Fourth of July holiday weekend that has been linked by cybersecurity experts to the Russia-based REvil cybercriminal group, though the federal government has not made an official attribution. 

REvil is the same group the FBI believes was behind the ransomware attack in May on meat producer JBS USA, a company that admitted to paying the hackers a ransom the equivalent of $11 million to regain access to its networks.  

Websites on the dark web used by REvil went dark days after the attack on Kaseya and after REvil had demanded $70 million in ransom, later lowering the demand to $50 million.

Kaseya stressed Monday that its initial silence on whether it paid the hackers for the decryption key was not intended to “encourage additional ransomware attacks,” and that the company is focused on customers impacted, many of which were small businesses. 

“Throughout this past weekend, Kaseya’s Incident Response team and Emsisoft partners continued their work assisting our customers and others with restoration of their encrypted data,” the company wrote. “We continue to provide the decryptor to customers that request it, and we encourage all our customers whose data may have been encrypted during the attack to reach out to your contacts at Kaseya. The decryption tool has proven 100% effective at decrypting files that were fully encrypted in the attack.”

The attack on Kaseya is one of the largest ransomware attacks in history, and comes amid escalating cyberattacks over the past year, including the ransomware attack on Colonial Pipeline in May by Russian-based group DarkSide. Colonial also chose to pay the ransom demanded, although the Justice Department later recovered the majority of the funds. 

President Biden and his administration have made cybersecurity a priority following the attacks, which have also included the SolarWinds hack, linked by U.S. intelligence agencies to the Russian government and which involved nine federal agencies being compromised for much of last year. 

Biden discussed cybersecurity concerns with Russian President Vladimir Putin during their summit in Geneva last month, and called Putin in the days after the attack on Kaseya to emphasize the need to take action against Russian-based cybercriminals.