Why Did the REvil Ransomware Group Give Up Its Decryption Key?

Almost everyone has heard of the Colonial Pipeline attack and most people have heard something about the SolarWinds exploit. These were both termed ‘supply chain attacks’ because the criminals were able to jump from the main company to attack smaller companies associated with it. The attacks involved infecting an actual update that was distributed to the customers of these larger companies. These affiliated companies, then, passed the update, with its malware, on to their own customers.

Then came what has been called the biggest non-state attack in history and the second biggest ransomware attack ever. This was the attack on international IT firm, Kaseya. One cybersecurity writer called it “bigger than the Colonial Pipeline ransomware incident. And, yes, more important than the SolarWinds intrusions last year.” Kaseya helps to manage remotely the security of company networks. They also allow companies to use dedicated Kaseyo servers locally, if they prefer. With this ability to access large numbers of networks, they would be enticing prey to ransomware hackers. And when they were attacked, their supply chain quickly fell under the hackers’ control. It is estimated that thousands of companies around the world found their networks encrypted. Each of these companies was subsequently subjected to ransom demands in order to get their networks back.

The attack left Kaseya in a dangerous position. They had allowed the criminals to infect their legitimate update with malware and were, therefore, responsible for the destruction of all of these affiliated networks. Even if their terms of service stated they could not be held responsible, they must have been well aware of the fact that good lawyers for these affected companies in their supply chain could bring expensive lawsuits against them, especially since a case could be made for other cybersecurity tools being shown to be effective in detecting this infection. It simply looked like Kaseya dropped the ball. So, with the looming potential of dealing with thousands of lawsuits, Kaseya must have realized they were in danger of having their company collapse. So they did what any company would do when faced with such a catastrophe, they lawyered up themselves.

Then the hackers, the REvil ransomware group, offered Kaseya a deal. They would decrypt all of these networks for a bargain price of $70 million. If Kaseya agreed to pay this amount, it would, by far, be the biggest ransom ever paid to a ransomware gang.

But there’s a problem with paying a ransom to a Russia-based ransomware group. Doing so may run afoul of U.S. government rules about paying a ransom to a sanctioned entity. In other words, the company may be fined, But would they be fined more than $70 million? Certainly, Kaseya must have begun negotiations with the hackers. In fact, CNBC reported that one of the members of the REvil gang offered a “universal decryptor” which would work for all affected companies for $50 million. But who was this person? Was it a rogue member of the group who saw an opportunity to get rich quick?

This scenario is further complicated by the fact that it is virtually impossible for a relatively small Russian ransomware group to negotiate, in English, with thousands of potential victims. It would be to their benefit to make one deal with Kaseya and leave with enough money to make the attack profitable. For this reason, whatever amount that may be agreed upon would probably be less, likely far less, than the $50 million offered.

So you have Kaseya facing financial destruction from lawsuits if they don’t solve this problem but being morally and, perhaps, legally obligated not to pay a ransom. At the same time, you have REvil, realizing that it can make a lot of money on this hack, but, frankly, finding that they were in over their heads and were, thus, ready to negotiate an acceptable price. That said, in their latest press release (July, 26th) Kaseya writes, “Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack and we have not wavered from that commitment. As such, we are confirming in no uncertain terms that Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor.” So, then, the question remains. How did they get the decryptor?

All we know from Kaseya is that they “obtained the tool from a third party”. According to CNN, the company required all of its associates who used the tool to sign a non-disclosure agreement. The reason for this is unclear. What are they afraid of having disclosed?

The lack of information has led to much speculation within the cybersecurity community. One possibility is that a U.S. law enforcement agency obtained the key. It is not impossible for them to have infiltrated the group, posing as a member or compromising a member, and obtaining the key in the process. The REvil ransomware group disappeared from the internet on July 13th. Could it be that they realized they were compromised by law enforcement and closed up shop before any more damage could occur?

Some speculate that the Russian government may have intervened to put a stop to the attack. Since the Russian government is known to work with these groups, they may have told them to give up the decryption key, shut down, and rebrand when things cooled down. If Putin then handed the key to U.S. law enforcement, Russia would improve their image.

It is important to keep in mind that membership in these ransomware groups is not carved in stone. Many of the members work with Russian government intelligence agencies or with similar agencies in other Russian-speaking countries. Many could work with multiple ransomware groups. Here is the most prominent member of these groups who, unsurprisingly, also has ties to the Russian government.

In other words, referring to groups like Darkside and REvil as discrete entities is mainly just a matter of semantics. It’s no accident that they often share similar strategies. This should be noted in the emergence of the newest ransomware group called, BlackMatter, but more on them in my next post.

Many cybersecurity experts insist that Kaseya must have paid a ransom, despite their claim that they did not and that they received the key through a trusted third party. But this may have been playing with words. Normally, paying a ransom will give the victims access to the ransomware group’s decryption site where they can decrypt all of their files. This site is only open for a limited time. But what if what Kaseya bought was not such access but a product? If lawyers or negotiators arranged this, the transaction could be termed as a simple process of purchasing a product and not an actual ransom payment, even though some might call it that. REvil would, then, have to agree to stop negotiating with individual companies caught up in the hack, and the easiest way to do this would be to simply disappear from the internet. This would give Kaseya a week to work with their partner, Emisoft, on learning how to use the decryption tool. When they felt confident that it worked, they could distribute it to all of their affected partners and, thereby, lower their chances for a lawsuit. They may have included a clause saying that the use of the key was contingent on these companies not bringing any future lawsuits against Kaseya, thus, explaining the nondisclosure clause. In short, this would be the best deal that Kaseya could hope for and that would also satisfy REvil. However, if this is what actually happened, it’s unlikely we will ever learn about it.

One thought on “Why Did the REvil Ransomware Group Give Up Its Decryption Key?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s