REvil Failed To Delete Victims' Backups In Kaseya Ransomware Attack, Now Not Receiving Ransom Payments

REvil Failed To Delete Victims’ Backups In Kaseya Ransomware Attack, Now Not Receiving Ransom Payments

The REvil ransomware attack last week was designed to be successful, yet the new evidence suggests that the gang has failed to encrypt the victims’ data and therefore, many victims can avoid paying ransoms.

When a ransomware gang launches an attack, they usually take time to breach a network and steal data before eventually encrypting the servers. When a victim knows that their data was stolen and encrypted, they are more likely to pay the ransom to avoid having their information leaked and get a decryptor.

Instead of following this standard attack procedure, REvil chose to exploit zero-day vulnerability in on-premise Kaseya’s VSA servers for maximum number of victims. They managed to pull off the largest ransomware attack in history, which affected over 1,500 businesses. But at the same time, they failed to delete victims’ backups and encrypt the data.

Fabian Wosar, the CTO of Emsisoft, has obtained configuration of the REvil ransomware used in these attacks. It shows that a REvil’s affiliate tried unsuccessfully to delete the files stored in the system’s backup folders.

While it’s possible that some companies paid a ransom to secure a decryptor, overall, the attack was not as successful as REvil’s plan.

The primary reason why backups were not deleted is that they were not stolen, which provided the ransomware gang with little leverage to the victims.

According to researchers, the victims were lucky as the attackers did not get access to their networks. The attackers then had to use automated methods to wipe their data which are not as effective.

The attackers tactics obviously failed, as many victims told that they did not have their backup files affected, and they chose to restore data instead of paying ransoms.

Bill Siegel, CEO of ransomware negotiation firm Coveware, commented:

“The disruption is still bad, but encrypted data that is unrecoverable from backups may end up being minimal. This will translate to a minimal need to pay ransoms. Impacted MSPs are going to be stretched for a while as they restore their clients, but so far none of the clients we have triaged have needed to pay a ransom. I’m sure there are some victims out there that will need to, but this could have been a lot worse.”

While many companies had a rough week, most of them should be able to get back on their feet quickly.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.