Someone Came to Rescue REvil’s Ransomware Victims, but Who?

Victims The latest ransom attack by Russian hackers may soon feel a little relieved. Casea, an IT management software company that Russian hackers Earlier this month, it said it had acquired a tool to help victims recover from the attack and open their files.

Development will definitely be good news for its victims attack, which is one of the most popular ransom software events, with thousands of victims around the world. It hit schools in New Zealand and forced a number of Swedish grocery stores to operate alongside other businesses.

But the secret of unity, or rather the one that saved the day, begins to unravel.

Casey spokeswoman Dana Lidholm initially declined to comment on the source of the device in a phone call on Tuesday, only noting that it came from a third party trustee who, due to a confidentiality agreement, could not identify it.

Threat analyst at Emsisoft security company Brett Callow told the Daily Beast newspaper the decryption tool was Casea and should be useful for advanced victims.

But new details about the device’s release began on Friday. And they could have intervened to see if the U.S. government had intervened with the hackers of the ransom attack or if Cassia had paid the ransom.

Cassia confirmed to The Daily Beast Friday that the device was created by Emsisoft, but noted that while “it was created by Emsisoft,” it was “based on our original version taken by a trusted third party” who identified it as Cassia. did not.

Calloway Emsisoft declined to comment on the features of the case, but noted that “in general, we have the ability to decrypt keys from threatening actors’ encryption and put them in our hands, which is much faster and safer.” Charles Carmakal, senior vice president and technology officer at Mandiant FireEye, which is investigating the ransom incident, confirmed to the Daily Beast that Emsisoft had created the decryption tool, but declined to give details of the device’s origin.

Among the secrets about the identity of this third person, there were speculations that Casey or another victim had demanded millions of dollars from hackers to get the key – Russian-speaking hackers, called REvil, closed Kaseya’s clients and their clients’ cases, demanding that they pay $ 50-70 million to open them earlier this month. A spokeswoman for Casey Lidholm declined to share what the company had paid.

Others bankers say the U.S. government has intervened and confiscated the hackers ’servers to help find a way for the victims to open their cases. The entry came just weeks after the Biden administration warned the Kremlin that if it did nothing to hire criminal hackers working inside Russia, the U.S. government would take matters into its own hands. . Biden suggested that the U.S. government could fight hacker servers as a way. The Kremlin has said in a statement in recent weeks that it will ignore requests from the Biden administration for help.

It is not clear if the U.S. has done anything to break the ransom software group. But Russian-speaking hackers were mysteriously darkened just last week without comment. (It’s possible that the hackers just went unchallenged following the government’s actions – ransom software groups go dark every year just to go back online with a new name and brand to avoid the attention of law enforcement.) FireEye’s security analysis at the time proposed that this was a plan and at the same time eliminate.

Allan Liska, a researcher at Recorded Future, a cybersecurity company, says few have been able to find a universal decryption tool for victims without hacking and hijacking their servers or otherwise accessing keys to help unlock victims’ computers. .

“It’s hard to get an engineer back from an attack just because of the damage,” Liska told the Daily Beast. “But if you capture the servers, you have access to their backup infrastructure. The keys are in that infrastructure behind them. So if you get their infrastructure, you can get the key.”

The National Security Agency adjourned the comment to the White House and Casey. The FBI, the U.S. Cyber ​​Command and the White House did not immediately return requests for comment.

Whether or not Casey says there is a third party who has a claim for disclosure should be known if they have paid a large ransom claim, Liska said.

John Hammond, who is investigating the ransom attack, says the fact that Casey is keeping his mother under a secret agreement could provide some clues as to the origin of the device and some indications of U.S. government intervention and surveillance. REvil hackers or their infrastructure.

“If a universal decryption key is built … it means that every victim needs to have private keys, which will definitely be just a Revil thing,” Hammond, a senior researcher at Huntress Labs, told the Daily Beast. “If REvil is extraordinary and suddenly there is a new universal decryption key that Casey got – but because of a privacy agreement it can’t share – I have to think it’s a federal organization. They said we were working with the FBI, working with other authorities to detect and re-establish the incident. ”

Cassie declined to say The Daily Beast if it would cooperate with federal authorities to obtain the decryption tool.

Liska says Vladimir Putin, on the Russian side, could have pulled it out now and forced hackers to bleed it into the package.

“There was a lot of speculation that when Revil was arrested or retired … it was at the behest of the Kremlin,” he said. [saying] ‘Well, we’re done with you man.’ Although the Kremlin itself says we don’t know anything about it … they could have gotten the key from it [REvil] and delivered it to someone through an intermediary. ”

Mike Hamilton, a former deputy chairman of the U.S. government’s State, Local, Tribal, and Territorial Coordinating Council, says the hackers’ interest was in order to be able to subdue Russian-speaking hackers without Moscow’s intervention.

“Perhaps Revil’s group has leaked it to suppress this hunt, which they are now looking for,” Hamilton, now CISO of CI Security, a software correction company, told the Daily Beast.

At the moment, some are still waiting to recover from the ransom incident, Hamilton said, adding that the client, an unidentified victim, has not yet received a new decryption tool from Casey. A Kaseya spokesperson told The Daily Beast that it helps its customers, namely Managed Services (MSPs), first open their systems, and then expect them to share the tool with their customers.

“Those end-user clients access the decryption through MSP (our customer) and in any case MSP needs to provide this technical support,” Lidholm told the Daily Beast.

And although the origins of the instrument still remain, it seems that the instrument works, says Carmakal.

“The Emsisoft coder is better built than all the threat actor codes – it’s faster and more efficient,” Carmal told the Daily Beast.

For victims who have been waiting almost a month, there is nothing better than this.