Site navigation

REvil Decryptor Helps Bring Kaseya Ransomware Attack to an End

Michael Behr


REvil Kaseya ransomware decryptor
While this may hopefully wrap up the Kaseya ransomware attack, REvil may remain a threat.

A universal decryptor to help victims of the Kaseya ransomware attack, one of this year’s biggest, has been released.

Developed by cybersecurity experts Bitdefender, and “a trusted law enforcement partner,” the tool will allow groups that had their data locked to decrypt their systems.

Bitdefender’s tool unlocks data encrypted by malware used by the notorious ransomware gang REvil, also called Sodinokibi.

“This decryption tool will now offer those victims the ability to take back control of their data and assets,” Bitdefender said.

The Kaseya ransomware attack saw REvil exploit the company’s products, affecting hundreds of companies that use Kaseya’s software. The cybercriminals demanded $70m in bitcoins in exchange for the universal decryptor.

Individual businesses could receive a decryptor for their own systems for the comparatively low price of $44,999.

Kaseya recently claimed that it had received a universal decryptor. The exact provenance of the tool was unknown at the time, with the company claiming it came from a “trusted third party”.

However, the tool was not the master key for the gang’s malware. While it was able to unlock all the files in the Kaseya attack, it was unable to unlock files hit by REvil at the same time as the Kaseya attack.

While Kaseya denied ever paying the ransom for the decryptor, REvil still had a big payday this year – $11 million from major meat supplier JBS.

Not long afterwards, REvil disappeared from the internet. There was some speculation about this – namely, whether they had taken their money and run; laying low after their high-profile jobs; or whether pressure from US or Russian authorities had driven them offline.

While nobody would mourn the lose of a ransomware gang, it did leave victims with encrypted data in a bind – without a payment platform, they had no way to receive a decryptor.


In another twist, REvil resurfaced earlier in September after almost two months of inactivity. This saw the group’s Tor site for payments and negotiation return, along with its ‘Happy Blog’ – a platform for leaking data and shaming uncooperative victims.

Victims have had the amount of time to pay their ransoms reset. They have also added screenshots of data belonging to a new victim.

According to a purported representative of the ransomware group, they went offline after their previous representative, Unknown (or UNKN) was thought to have been arrested and their servers compromised.

REvil also revealed the source of Kaseya’s decryptor – it was leaked accidently while a coder was generating an individual key for one of the attack’s victims.

“Kaseya decryptor, which was allegedly leaked by the law enforcement, in fact, was leaked by one of our operators during the generation of the decryptor,” REvil said.

However, given the bizarre quality of the claims, and that this is a new, unverified representative of the group, it is worth treating the claim with some scepticism. The exact nature of the group’s return is also subject to speculation.

“We believe new REvil attacks are imminent after the ransomware gang’s servers and supporting infrastructure recently came back online after a two month hiatus. We urge organisations to be on high alert and to take necessary precautions,” Bitdefender added in the statement concerning the launch of the decryptor.

Michael Behr

Senior Staff Writer

Latest News

Business Editor's Picks Technology
Business Data Analytics
%d bloggers like this: