Bitdefender researchers have published a free master decryptor for the REvil ransomware operation, which victims may use to restore their files for free.
On July 2nd, the REvil gang infiltrated the Kaseya cloud-based MSP platform, affecting MSPs and their clients. The group first broke into the Kaseya VSA’s infrastructure, then distributed malicious upgrades to VSA on-premise systems in order to infect enterprise networks with ransomware. For decrypting all systems affected by the Kaseya supply-chain ransomware attack, the ransomware gang sought $70 million in Bitcoin.
However, starting on July 13th, the REvil ransomware gang’s infrastructure and websites were unexpectedly shut. At the same time, the Tor leak site, the payment website “decoder[.]re,” and their backend infrastructure went down. Bitdefender created the decryptor with the assistance of a law enforcement partner who provided decryption keys to the business.
The encrypted files of the victims could be restored and recovered using the universal decryptor for REvil/Sodinokibi.
The experts believe that more REvil attacks are possible now that the ransomware gang’s servers and accompanying infrastructure have been brought back online after a two-month hiatus. The researchers are not providing any additional information because the investigation is still underway.
The victims of the gang can restore their encrypted files for free by downloading the decryptor from Bitdefender. A step-by-step instruction on how to utilise the REvil decryption tool was also published by the researchers.
REvil is a ransomware-as-a-service (RaaS) provider most likely based in a CIS country. As a successor to the now-defunct GandCrab ransomware, it first appeared in 2019. REvil/Sodinokibi is one of the most widespread ransomwares on the Dark Web, with affiliates targeting thousands of IT firms, managed service providers, and shops all around the world. After encrypting a company’s data, REvil affiliates demand large ransoms – up to $70 million – in exchange for a decryption key and assurances that the gang will not expose the information stolen during the attack.
The Kaseya attack, which snagged thousands of managed service providers, was its greatest heist before it vanished (MSPs). Since July 2, the REvil gang has conducted over 5,000 attacks against the Kaseya Virtual System/Server Administrator (VSA) platform in 22 countries. These assaults impacted not only Kaseya’s MSP customers, but also the customers of those MSPs, as many of them use VSA to administer the networks of other organisations.
You might also like:
Apple releases patches for zero-day vulnerability to block spyware
Hackers expose credentials of 87,000 Fortinet FortiGate devices
Windows 11 Alpha malware: Your financial data might be at risk