Security Experts:

Decryption Key for Ransomware Delivered via Kaseya Attack Made Public

A key that can be used to decrypt files encrypted by the REvil ransomware delivered as part of the Kaseya attack has been made public.

According to threat intelligence company Flashpoint, an individual using the online moniker “Ekranoplan” recently claimed on a hacker forum that they had obtained a decryption key for the REvil ransomware. The individual posted a GitHub link pointing to a screenshot containing the key.

Ekranoplan wrote in Russian that the key was provided by their “parent company” and it should work for all REvil victims.

Flashpoint has tested the leaked key and confirmed that it can be used by victims of the Kaseya attack to recover files encrypted by the ransomware. The company is trying to determine to which extent it can be used by other victims.

Several people have confirmed on Twitter that the key works for decrypting files encrypted by the REvil variant used in the Kaseya attack. However, while the key may be useful for some other REvil victims as well, several researchers said it does not appear to be a universal decryptor that works for all versions of the ransomware.

While the decryption key might still be useful to some victims, organizations hit by the Kaseya attack should have received a universal decryptor from Kaseya itself last month.

The IT management software maker discovered in early July that cybercriminals had exploited vulnerabilities in one of its products to deliver ransomware to MSPs and their customers. The incident affected between 800 and 1,500 organizations, according to Kaseya.

The individuals behind the attack initially offered a universal decryptor that could be used by all Kaseya victims for $70 million, and the amount was later reportedly brought down to $50 million. However, the cybercriminals do not appear to have earned too much money as the ransomware in many cases failed to delete backups before encrypting files. In addition, they did not steal information from victims, as they did in previous attacks.

Roughly three weeks after the attack came to light, Kaseya said it had obtained a universal decryptor and started distributing it to affected customers. The company said it got the decryptor from a trusted third-party and denied paying any money to the cybercriminals.

The gang behind the REvil ransomware went offline shortly after the Kaseya attack, but a potential successor, called BlackMatter, has already emerged.

Related: Continuous Updates: Everything You Need to Know About the Kaseya Ransomware Attack

Related: Emails Offering Kaseya Patches Deliver Malware

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.