There may be more clarity around the mystery surrounding how the decryption key for the ransomware used in the Kaseya attack leaked. It kicked off with @FlashpointIntel recounting a confusing post on Exploit that implied law enforcement was involved in gaining the key.
The original post on Exploit by REvil said the decryption key "was leaked by law enforcement agencies due to human error during the key generation process." It was speculated US or Russian LE might have had something to do with the key's appearance.
Two days ago, REvil posted again on Exploit. This time, it says it erroneously generated the key and then passed that on. Per @FlashpointIntel's translation:…
REvil says: “Our encryption process allows us to generate either a universal decryptor key or individual keys for each machine. Then, in the process of generating the keys, we had to generate between 20 and 500 decryption keys for each [individual] victim."
[because the victims of the Kaseya attack all had networks of different sizes]. ]. One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine. That’s how we shit ourselves.”
The terminology that REvil uses is confusing, but as I understand it, "universal" key means "master" key, which is what was leaked. A master is same as a campaign key.…
So is this really how it went down? Remember Kaseya published a blog post around July 27 that said it "unexpectedly" received the key, although that was quickly revised in about 30 minutes. H/T @shanvav Image
I'd go out on a limb and say what REvil is saying makes the most sense (but that also doesn't mean it's true). Russian LE intervention on this felt to me really unlikely, as well as the suggestion this was US law enforcement/NSA sneaky spy action, etc. Anyone else have a thought?
@BrettCallow tells me: "Forum posts should be taken with a pinch of salt. The criminals know the forums are being monitored and so effectively use them as a press release service. They say what they want us to know. No more, no less."

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Jeremy Kirk

Jeremy Kirk Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Jeremy_Kirk

16 Apr
The Shanghai PSB database is so odd. Aside from Uyghur tracking, personal info of random Westerners who entered China, there are mundane police blotter reports -- an accident involving a van and a bicycle (see screenshot), theft of old power meters. Why is it all mashed together?
And why is the _index for all this stuff labelled in English "uighurterrorist" when literally everything else - except for Westerner names who crossed the border - is in Mandarin?
There has been excellent reporting by @seanrubinsztein and @hui_echo about who is in the database. This may be unanswerable, but how does data from at least two Chinese security agencies end up in an open Elasticsearch database on Alibaba's cloud where anyone could find it?
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!