Mysterious universal decryptor for encrypted REvil files published

A master key to decrypt files encrypted by the ransomware REvil during an attack on Kaseya's customers was published on a hacker forum, giving researchers the opportunity to study this mysterious tool.

Recall that on July 2 of this year, the REvil cyber ransomware group attacked managed service providers around the world through a zero-day vulnerability in the Kaseya VSA remote control application. After the attack, the ransomware demanded $ 70 million for a universal tool that would restore the encrypted files of all Kaseya customers.

However, then the REvil group mysteriously ceased to exist, and its wallets and all infrastructure were turned off. On July 22nd, Kaseya received a universal decryptor from a mysterious "third party" and began distributing it to its customers. In order for it to teach, companies are required to be first to sign a nondisclosure agreement.

There is an opinion that the decryptor was taken from cybercriminals by the Russian special services and handed over to their American colleagues as a gesture of goodwill.

On August 10, security researcher Pancak3 reported to the BleepingComputer portal that someone posted a screenshot on one of the hacker forums, which allegedly shows a universal key for recovering files encrypted by REvil. The post linked to a screenshot on GitHub showing the REvil decryptor running, displaying the base64 hashed key 'master_sk'. The key looks like this: 'OgTD7co7NcYCoNj8NoYdPoR8nVFJBO5vs / kVkhelp2s ='.

BleepingComputer managed to decrypt the virtual machine with the REvil ransomware samples used in the Kaseya attack. The experts of the information security company Flashpoint also confirmed that with the help of this key they were able to decrypt the files encrypted during the attack on Kaseya.

Experts have tested the decryptor on other REvil samples collected over the past two years. The decryptor was not working, which means it is not the master decryption key for all REvil victims.

For what reasons the tool was published on a hacker forum, to which the victims of the ransomware do not have access, is unknown. As numerous sources in the field of cybersecurity told BleepingComputer, in their opinion, the publication is connected with the cybercriminal group REvil itself, and not with its victims.

Previous Post Next Post