Getty Images/iStockphoto

Bitdefender releases REvil universal ransomware decryptor

The REvil decryptor key helps victims recover their encrypted files, as long as the attacks were made before July 13, which is when REvil went off the grid for two months.

Bitdefender and "a trusted law enforcement partner" have created and released a universal decryptor for REvil ransomware.

REvil, also known as Sodinokibi, is a prominent ransomware gang that was recently responsible for the high-profile Kaseya supply chain attack in July. Shortly after the attack -- where the ransomware operators demanded a $70 million ransom from Kaseya and its customers -- the gang disappeared for nearly two months.

The decryptor key, released Thursday, helps victims recover data from attacks made before July 13 -- when REvil initially went dark. As Bitdefender's blog post noted, victims who had not paid REvil's ransom were left unable to recover their encrypted data.

In addition to the decryptor key itself, step-by-step documentation on using the key is available.

Bitdefender did not name the law enforcement entity that assisted the vendor in developing the universal decryptor. Moreover, the post stated that, due to the ongoing nature of the associated investigation, they are unable to "comment on details related to this case."

Bogdan Botezatu, director of threat research and reporting at Bitdefender, told SearchSecurity that estimating the total number of REvil victims is near impracticable.

"It's next to impossible to estimate how many victims REvil has managed to infect since 2019," he said. "This is because not all victims report infections or reach out for support. However, we can say that we have seen downloads of the decryptor as soon as we released it today."

The vendor said it believes "new REvil attacks are imminent" following the gang's resurgence.

Emsisoft threat analyst Brett Callow said there's "no reason to believe" that the "old" REvil and resurfaced REvil are different gangs.

"The only new REvil samples I'm aware of are exactly the same as the old samples. They're new only in that they were recently compiled. There's been no alteration to the code. Yet," he said. "There's no reason to believe that the people who brought REvil sites back online are any different to the people who were previously engaged in the operation."

Callow added this is likely the case, even though REvil's current spokesperson posted that Unknown, the previous spokesperson, had disappeared on a cybercrime forum, the claim "should be taken with a pinch of salt."

"Gangs know the forums are monitored, and so [they] use them as a press release service to spread misinformation," he said.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Next Steps

BitDefender releases decryptor for MortalKombat ransomware

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing