Kaseya is currently helping to restore the systems of customers whose networks were still locked down by REvil’s software, it said.
“I can confirm we have received a decryptor and are currently working to assist the customers impacted by the attack,” said Kaseya spokesperson Dana Liedholm. “We can’t share the source but can say it’s from a trusted third party.”
Liedholm declined to answer further questions about whether the decryptor key had been reverse-engineered from the REvil malware.
Brett Callow, a threat analyst at the cybersecurity firm Emsisoft, said his firm had verified the effectiveness of the key at restoring victim data.
“We are working with Kaseya to support their customer engagement efforts. We have confirmed the key is effective at unlocking victims and will continue to provide support to Kaseya and its customers,” Callow told CNN.
Underscoring that point, Drew Schmitt, principal threat intelligence analyst at GuidePoint Security, said that although he is not involved with the situation at Kaseya, he’s confident the key should work.
“There are very limited circumstances where I’ve obtained a decryptor during a negotiation and found out it either doesn’t work or found some major problem with it,” Schmitt said. “The percentage of cases or incidents where the decryptor just flat-out doesn’t work is really, really low and is closer to zero than anything.”
It is still unclear how the attackers managed to gain access to Kaseya’s product.