Kaseya denied it paid a ransom either directly or indirectly in exchange for a decryption key after a cyberattack struck the IT company earlier this month.
The company has not disclosed how it obtained the decryptor, but addressed in a July 26 statement reports suggesting its silence on the matter may mean it paid the $70 million that was demanded by the affiliate of the REvil ransomware group.
“While each company must make its own decision on whether to pay the ransom, Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack and we have not wavered from that commitment," the company said in a statement. "As such, we are confirming in no uncertain terms that Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor.”
As Kaseya’s response team and partners assist customers and others affected by the attack, reports surfaced that the tech company is requiring customers to sign non-disclosure agreements to obtain the decryptor to regain access to the data that was encrypted by the ransomware. Kaseya declined to comment in response to a request from SC Media.
If the reports are indeed true, experts say NDAs would make understanding of the attack all the more difficult for the cybersecurity community.
“We already have barely any information, and this move means we're unlikely to learn much more,” said Jeff Barke, vice president of cybersecurity at Illusive, in a statement. The point was reinforced by Mark Kedgley, chief technology officer at New Net Technologies, who said the NDA "will help lessen further analysis and discussion of the attack."
"While you could see this would be desirable for Kaseya, it won’t further the cyber security community’s understanding of the breach itself," he added.
Also of note is the fact that the REvil group seemed to disappear from the internet, further fueling speculation around the incident.
SC Media reported that the ransomware was installed July 2 by an affiliate of the REvil group using a chain of vulnerabilities in VSA software, including an authentication bypass and a SQL injection.
The company advised on-premises VSA users to turn off their system. Kaseya quickly turned off its software-as-a-service version as a precautionary measure, despite no known hacking arising from the SaaS product. Kaseya released a patch for on-premises versions of its VSA remote monitoring and management software July 11, and began its rollout of the software-of-a-service version of the tool.
The company stated it believes between 50 and 60 total customers were victims of the REvil outbreak, but with a large MSP client base, Kaseya believes around 1,500 total downstream businesses were ultimately infected.
Steve Zurier contributed to this report.