Information technology management software firm Kaseya Ltd. has obtained a master decryptor for victims of the REvil ransomware attack that targeted its customers earlier this month.

Kaseya said in a security update today that it has obtained the tool from a third party and has teams activity helping customers affected by the ransomware to restore their environments. The company added that there are no reports of problems or issues with the decryptor and that it’s working with Emsisoft Ltd. to support customer engagement efforts.

The attack by REvil started July 2 and targeted a zero-day, or until then unknown, vulnerability in the Kaseya VSA remote management application. Exactly how many Kesaya downstream customers were affected remains unclear, but estimates have put the number at between 800 and 1,500.

REvil subsequently demanded a $70 million ransom payment for a decryption key.

The attack gained the attention of the White House, which threatened to take action against Russia if the REvil attack was linked to the country. REvil is believed to operate out of Russia but is not known to be linked to the Russian government. Following the threat, REvil disappeared on July 13. Whether it was an action taken by the Russian government or was an indication that REvil decided to cut and run is unknown.

That REvil has seemingly disappeared begs the question as to how Kaseya obtained the decryption key. When asked by Bleeping Computer for details, the company declined to say from whom it obtained the decryptor. Adding fuel to the fire, Kaseya also refused to confirm or deny whether it had made a ransom payment.

Whichever way it obtained the decryptor, thew news will come as a relief to its customers.

“The sudden appearance of this universal key suggests that it is possible that this ransom may have been paid, although it is likely that the ransom would have been negotiated to a lower price,” Ivan Righi, cyberthreat intelligence analyst at digital risk protection solutions company Digital Shadows Ltd., told SiliconANGLE. “While the master decryption key has been acquired, the attack should not be considered to be over.”

REvil is known to exfiltrate data from victims, so the group may still have copies of data stolen from victims, Righi explained. “The group could use this data to extort victims or auction off the data, as it has done in the past on its website Happy Blog,” he said. “However, the group’s current activities are unknown since going dark, when their sites vanished and representatives got banned on prominent forums.”

Image: Kaseya