Kaseya Did Not Pay for REvil Ransomware Decryptor Key

Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor key for the REvil Ransomware attack that struck on July 2, 2021, the MSP software company disclosed on July 26, 2021.

The background: Kaseya suffered a REvil ransomware attack on July 2, 2021. Then, the company on July 21 obtained a decryptor key to help MSPs and end-customers recover from the attack. At the time, Kaseya did not say whether it paid a ransom or extortionists to obtain the key. Fast forward to July 26, 2021, and the software company says no ransomware payment was made.

The Kaseya timeline also includes a July 11 restore of SaaS services for VSA customers, and  patches for on-premises VSA customers.

The attack hit roughly 50 MSPs on July 2, and then spread to 800 to 1,500 businesses worldwide, Kaseya CEO Fred Voccola told Reuters on July 5. Kaseya developed a patch and began a SaaS system restore on July 6, but the company then delayed that restore until Sunday, July 11, Voccola disclosed on July 7.

Meanwhile, ConnectWise on July 13 reactivated an integration with IT Glue — an MSP documentation platform owned by Kaseya. ConnectWise reactivated the connection after receiving written assurances from Mandiant that IT Glue was not impacted by the VSA incident.

Among the remaining question marks:

  • How many customer endpoints overall were encrypted? The hackers claimed to have hit 1 million endpoints, but the actual figure remains unclear.
  • How MSPs are still working to restore their on-premises VSA servers and associated end-customer systems?

Here are the latest breaking details (updated regularly) from MSSP Alert.

Note – Official Statements From Kaseya: Track this URL from Kaseya for official ongoing updates, patch and restore information from the company.

Blog originally published July 2, 2021. Updated regularly thereafter to reflect new developments in the cyberattack investigation and VSA software platform recovery.

Return Home



    Jason Slagle:

    Kaseya requiring an NDA to get access to the decryption utility that essentially silences the MSP is crap.

    We as a company are speaking with our wallet and exiting their ecosystem as soon as possible and will no longer consider any of their products in the future.

    The tactics of silencing end-users in exchange for the ability to decrypt is as morally bankrupt as you can get as a company. I can understand limitations on liability in exchange, but preventing them from speaking about the experience is crossing a line.

    Joe Panettieri:

    Jason: We appreciate your viewpoints. Requiring an NDA isn’t all that uncommon in the cyber market, though the practice has generated plenty of debate in recent years. Please keep us posted as you continue to build/evolve your business.


Leave a Reply

Your email address will not be published.