Social media is a great place to speculate on things.
And in this case, people are speculating about the supply chain cyberattack against Kaseya. The attack infected hundreds of Kaseya's downstream clients with ransomware.
The ransom demand by the REvil group was initially $70 million for a universal decryption key.
Then, on July 22nd, the company announced some positive news for those whose systems were locked up and had been out of luck:
"Kaseya obtained a decryptor for victims of the REvil ransomware attack, and we're working to remediate customers impacted by the incident.
We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments...."
[RELATED: Kaseya's Race to Patch Ends in Ransomware Attack]
How did Kaseya obtain the decryption key?
A company spokesperson told reporters that Kaseya obtained the key from a "trusted third party." What does that mean?
Social media and #InfoSecTwitter speculation ramped up quickly. Who, how, why, how much for Kaseya to get its hands on this decryption key?
@uuallan listed some options, including Kaseya paying or the Kremlin seizing it and handing it over.
This kind of speculation continued for five days, with Kaseya silent on the matter—until now.
Kaseya denies paying ransom to REvil hacking group
In a statement on July 26th, Kaseya finally addressed the speculation about how it got the universal decryptor. Did the company pay a ransom?
"Recent reports have suggested that our continued silence on whether Kaseya paid the ransom may encourage additional ransomware attacks, but nothing could be further from our goal.
While each company must make its own decision on whether to pay the ransom, Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack and we have not wavered from that commitment. As such, we are confirming in no uncertain terms that Kaseya did not pay a ransom—either directly or indirectly through a third party—to obtain the decryptor."
So now we can take "Kaseya paid" off the list. And social media can speculate about the other possibilities.
Kaseya says universal decryptor is unlocking files
Also in its most recent update, Kaseya says the decryptor is working flawlessly to unlock systems.
"We continue to provide the decryptor to customers that request it, and we encourage all our customers whose data may have been encrypted during the attack to reach out to your contacts at Kaseya. The decryption tool has proven 100% effective at decrypting files that were fully encrypted in the attack."
And as it turns out, the decryptor may be working better than the patches Kaseya has been pushing through to its MSP customers. SecureWorld heard from one of them, yesterday:
"The installation was a pain and didn't work on the first try. Took some 48 hours more to get the Kaseya support involved and the patch installed.
Our current status is that our Kaseya server is up and running, but some features are (temp.) disabled and some others do have issues.
So right now, I'm waiting for another patch to get this sorted out."
You can sense the frustration as this is the status update weeks after the cyberattack.
