Kaseya’s universal REvil decryption key leaked: Report

The universal decryption key for REvil’s attack on Kaseya’s clients has been leaked on hacker forums, allowing researchers to see the mystery key for the first time.


The REvil ransomware gang used a zero-day vulnerability in the Kaseya VSA remote management application to launch a major cyberattack on managed service providers around the world on July 2nd.


This ransomware attack encrypted almost sixty managed service providers and 1,500 organisations, making it the largest ransomware attack in history.


Following the incident, the threat actors demanded a $70 million ransom in exchange for a universal decryptor that could be used to decrypt all Kaseya victims.


The REvil ransomware group, on the other hand, inexplicably vanished, and the gang’s Tor payment sites and infrastructure were shut down shortly after.



Companies that may have been required to purchase a decryptor are now unable to do so due to the gang’s disappearance.


Kaseya began distributing a universal decryption key for the ransomware attack to affected customers on July 22nd, after receiving it from a mystery “trusted third party.”


According to CNN, Kaseya asked customers to sign a non-disclosure agreement before giving the decryptor, which could explain why the decryption key hasn’t surfaced until now.


As reported by BleepingComputer, the decryptor is thought to have been received by Russian intelligence from the ransomware gang and given with US law enforcement as a sign of goodwill.


Someone claimed to have released a screenshot of what they said was a universal REvil decryptor on a hacking forum, according to security expert Pancak3.



Forum post about Kaseya decryptor on a hacking forum




This post linked to a GitHub screenshot of a REvil decryptor running with a base64 hashed’master sk’ key displayed.



Kaseya REvil decryptor



As stated below, the key is ‘OgTD7co7NcYCoNj8NoYdPoR8nVFJBO5vs/kVkhelp2s=’.


When victims of REvil ransomware pay the ransom, they receive either a decryptor for a single encrypted file extension or a universal decryptor for all encrypted file extensions used in the campaign or attack.


The image above shows a universal REvil decryptor that can decrypt all of the attack’s extensions.


To be clear, while the decryption key in this screenshot was originally considered to be the master ‘operator’ key for all REvil campaigns, BleepingComputer has established that it is simply the universal decryptor key for victims of the Kaseya attack.


Fabian Wosar, CTO of Emsisoft and a ransomware expert, confirmed this.


fabian worsar tweet



By patching a REvil universal decryptor with the decryption key provided in the screenshot, BleepingComputer was able to test the leaked key.


This decryption key was also verified by security firm Flashpoint as being able to decrypt files encrypted during the Kaseya ransomware assault.


It’s unclear why the Kaseya decryptor was placed on a hacker site, where a victim would be unlikely to post.


Several sources in the cybersecurity intelligence industry told BleepingComputer that they suspect the poster is a member of the REvil ransomware gang rather than a victim.




You might also like:

DarkSide ransomware gang is back as BlackMatter operation

Haron and BlackMatter ransomware groups appeared on hacker forum

Kaseya obtained a universal decryptor for REvil ransomware attack

Pegasus Project – Spyware used to target journalist, activists and others