Kaseya has rejected claims that it paid a $70 million ransom to the notorious REvil hacking group.
The software company’s infrastructure was crippled by the attack, alongside systems belonging to hundreds of businesses that used it.
Last week, Kaseya had confirmed that it had acquired a universal decryptor key that would allow victims to undo the damage caused by the ransomware.
However, it caused controversy by failing to reveal the source for this fix other than saying it was from a third party. In light of growing speculation, an updated statement said:
“Recent reports have suggested that our continued silence on whether Kaseya paid the ransom may encourage additional ransomware attacks, but nothing could be further from our goal. While each company must make its own decision on whether to pay the ransom, Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack and we have not wavered from that commitment. As such, we are confirming in no uncertain terms that Kaseya did not pay a ransom — either directly or indirectly through a third party — to obtain the decryptor.”
A Difficult Dilemma
As we previously discussed on the CoinMarketRecap podcast, the world of ransomware can be an exceptionally tricky one for businesses to negotiate.
Companies that pay ransomware demands help encourage cybercriminals to keep attacking victims — and cybersecurity professionals, the FBI, Europol and law enforcement agencies around the world are all in agreement that it’s a bad idea.
But as Sophos security researcher Chester Wisniewski explained:
“You start getting a lot softer in your emotions toward whether someone should pay or not when you realize it literally could be a business-ending event for a smaller mid-sized business.”
Wisniewski also revealed that just 8% of victims who pay a ransom end up getting all their files back, and the typical victim often ends up getting just 64% of their documents returned.
Victims also risk wearing a mark that shows they were willing to pay. In the U.K., some companies who settled ransomware demands ended up getting targeted a second time by another criminal group.