Kaseya is requiring customers affected by the massive REvil ransomware attack to sign non-disclosure agreements in order to obtain the decryption key, a move that could shroud the incident in further mystery. Although the decryption key will no doubt bring relief to some victims, others are stating that it will have minimal impact.
A new CNN report published on Friday revealed the non-disclosure agreements, citing several cybersecurity experts working with victims of the attack. The outlet notes that these agreements are not unusual in the cybersecurity industry, but that they could make it harder to understand how the attack occurred. The revelation is the latest step in Kaseya’s tight-lipped response since it announced it had obtained a “universal decryptor” from a “trusted third party” on Thursday.
It is still unknown where Kaseya got the decryptor from and whether it paid the mind-blowing $70 million ransom the REvil cybercriminal gang asked for in exchange for providing the universal key for all the roughly 1,500 victims worldwide in early July. To add another twist to the saga, days after claiming credit for the attack, the REvil gang disappeared from the internet.
The company declined to comment on whether it paid for the key in a statement to Gizmodo on Friday. However, some experts say it’s possible the Russian government could have given Kaseya the key after pressure from the Biden administration. Others claim Kaseya might have paid REvil’s ransom early on, after which the criminals went into hiding.
Cybersecurity experts that spoke with CNN pointed out that some of Kaseya’s clients were frustrated when the company announced it had obtained a universal decryptor because they had already spent time and resources trying to restore their systems on their own, albeit with mixed success. The news about the decryptor came three weeks after the attack.
Andrew Kaiser, vice president of sales at Huntress Labs, told the outlet that a service provider hit by REvil’s attack had spent thousands of hours trying to recover and would have made different decisions if they knew Kaseya was working on getting a decryptor.
“I talked with a service provider yesterday,” Kaiser told CNN, “who said, ‘Hey listen, we’re a 10-to-20-person company. We’ve spent over 2,500 man-hours restoring from this across our business. If we had known there was the potential to get this decryptor a week or 10 days ago, we would have made very different decisions. Now, we’re down to only 10 or 20 systems that could benefit from this.’”
Gizmodo reached out to Kaseya on Saturday to ask for comment on whether it was requiring customers to sign NDAs. We also asked Kaseya if they had a response to victims that expressed frustration over the news regarding the universal decryptor. In an emailed response, the company said it had no comment.