The missing hackers

[Bloomberg]( Hi, this is Kartikay on the cyber team. Ransomware attacks always hurt—but perhaps never more so than when the victim is compromised through the very company they pay for IT and security services. That’s what happened to the nearly 1,500 targets attacked through a vulnerability at Kaseya Ltd., an IT management and antivirus software provider. Eastern European hackers [compromised Kaseya in early July](, and then went on to infect its customers and, in turn, their customers en masse with ransomware made by the REvil hacking group. The breach was ironic, but typical of the ransomware attacks that have increasingly roiled global business in recent months. Usually, after hackers take control of company networks, those networks are restored only when the company is able to tap its backup servers, or when it pays the hackers for a decryption key. It was the aftermath of the Kaseya case where things got unusual. Two weeks after the initial attack, the REvil ransomware gang [vanished from the internet](. It’s still unclear exactly what happened to REvil. They may have been asked to cease operations by Russia at President Joe Biden’s insistence. Or maybe western law enforcement toppled their infrastructure. Or maybe they realized they’d bitten off more than they could chew and decided to lay low. But while some celebrated the disappearance as a victory against cybercrime, many of REvil’s recent victims were left in purgatory, said John Hammond, senior security researcher at the cybersecurity firm Huntress. Multiple recent victims, including some compromised in the Kaseya attack, were still waiting for REvil to help them restore access to their networks when the group went offline, Hammond said. They had either paid but were waiting for their decryption key when REvil went missing, or they very much wanted to pay, but by the time they negotiated a price, there was no one on the other end of the line to receive the cash. “People that were in that unfortunate situation, it just really sucks,” Hammond said. “They reached out to anyone who could help, but it’s tough because they all came up empty handed.” According to two people familiar with REvil’s targets, at least three victimized companies that were left in the lurch when the group went offline were able to fully restore operations using still-accessible backup files. Six others have partially restored services, said the people, who asked to remain anonymous discussing private information. But many of the rest of the victims—including manufacturers healthcare providers and private schools—were left to frantically reach out to their MSPs, competitors and cyber research firms in what was ultimately a fruitless hunt for a functional decryption key. Unfortunately, landing a key that works on multiple victim networks is extremely rare. But all was not lost. Last week, about three weeks after the first attack, Kaseya [announced that it had obtained]( a “universal decryptor key”—a tool the company said it has offered to all victims compromised by REvil malware via access to Kaseya. REvil had earlier offered this key for $70 million. On Monday, [Kaseya said that it did not pay]( REvil or any other hacker group a ransom for access to it. The company says it has since distributed the key widely, including to many of its 54 clients compromised in the attack. Those 54 have since been authorized to share the key with their own clients to connect as many of the nearly 1,500 victims as necessary, said Dana Liedholm, a spokesperson for Kaseya. She could not offer an estimate for the number of victims who have used the decryptor. While Kaseya's clients may get some relief, the attack underscores deeper vulnerabilities in corporate America and beyond. By hacking an IT firm and cyber defender with special access to clients, bad actors were able to create a mass cyber-casualty event, the effects of which are still playing out. That could provide a blueprint for future, even more dangerous attacks—whether or not the hackers are there to collect. —[Kartikay Mehrotra](mailto:kmehrotra2@bloomberg.net) If you read one thing Inside Google’s quest to become a cloud computing giant. The company’s cloud chief, Thomas Kurian, was known to scream at some executives in one-on-one meetings, but the yelling eased when the pandemic took hold. Kurian [said Google has changed his management style](. He’s changed Google, too. Sponsored Content GEP commissioned a survey of over 400 senior business leaders from the world’s leading global enterprises to determine the real costs of supply chain disruptions. The impacts run deeper and wider than what most enterprises had anticipated. [Read the full report here >>]( GEP And here’s what you need to know in global technology news The China tech crackdown continues. Meituan, the largest food delivery service in the country, saw its stock dip by a record 14% after Beijing [announced a series of sweeping reforms]( for private-sector companies. China’s tech restrictions are notably targeting [consumer-facing companies](, writes Bloomberg Opinion’s Noah Smith on his Substack. A U.S. probe into the most popular stablecoin, Tether, is homing in on whether executives behind the digital token committed bank fraud—[potentially a criminal case](. Bitcoin has been on a ride amid speculation that Amazon could accept cryptocurrency as payment this year. [After rallying, the currency dipped]( when the company denied that was its plan. Follow Us More from Bloomberg It's time to Power On. A weekly newsletter by Bloomberg’s Mark Gurman delivers Apple scoops, consumer tech news, product reviews and the occasional basketball take. [Sign up to get Power On]( in your inbox on Sundays.  Like Fully Charged? | [Get unlimited access to Bloomberg.com](, where you'll find trusted, data-based journalism in 120 countries around the world and expert analysis from exclusive daily newsletters. You received this message because you are subscribed to Bloomberg's Fully Charged newsletter. If a friend forwarded you this message, [sign up here]( to get it in your inbox. [Unsubscribe]( [Bloomberg.com]( [Contact Us]( Bloomberg L.P. 731 Lexington Avenue, New York, NY 10022