There may be more clarity around the mystery surrounding how the decryption key for the ransomware used in the Kaseya attack leaked. It kicked off with @FlashpointIntel recounting a confusing post on Exploit that implied law enforcement was involved in gaining the key.
The original post on Exploit by REvil said the decryption key "was leaked by law enforcement agencies due to human error during the key generation process." It was speculated US or Russian LE might have had something to do with the key's appearance.
REvil says: “Our encryption process allows us to generate either a universal decryptor key or individual keys for each machine. Then, in the process of generating the keys, we had to generate between 20 and 500 decryption keys for each [individual] victim."
[because the victims of the Kaseya attack all had networks of different sizes]. ]. One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine. That’s how we shit ourselves.”
The terminology that REvil uses is confusing, but as I understand it, "universal" key means "master" key, which is what was leaked. A master is same as a campaign key. bankinfosecurity.com/revil-decrypti…
So is this really how it went down? Remember Kaseya published a blog post around July 27 that said it "unexpectedly" received the key, although that was quickly revised in about 30 minutes. H/T @shanvav
I'd go out on a limb and say what REvil is saying makes the most sense (but that also doesn't mean it's true). Russian LE intervention on this felt to me really unlikely, as well as the suggestion this was US law enforcement/NSA sneaky spy action, etc. Anyone else have a thought?
@BrettCallow tells me: "Forum posts should be taken with a pinch of salt. The criminals know the forums are being monitored and so effectively use them as a press release service. They say what they want us to know. No more, no less."
• • •
Missing some Tweet in this thread? You can try to
force a refresh
The Shanghai PSB database is so odd. Aside from Uyghur tracking, personal info of random Westerners who entered China, there are mundane police blotter reports -- an accident involving a van and a bicycle (see screenshot), theft of old power meters. Why is it all mashed together?
And why is the _index for all this stuff labelled in English "uighurterrorist" when literally everything else - except for Westerner names who crossed the border - is in Mandarin?
There has been excellent reporting by @seanrubinsztein and @hui_echo about who is in the database. This may be unanswerable, but how does data from at least two Chinese security agencies end up in an open Elasticsearch database on Alibaba's cloud where anyone could find it?