Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Decryption Key for Ransomware Delivered via Kaseya Attack Made Public

A key that can be used to decrypt files encrypted by the REvil ransomware delivered as part of the Kaseya attack has been made public.

A key that can be used to decrypt files encrypted by the REvil ransomware delivered as part of the Kaseya attack has been made public.

According to threat intelligence company Flashpoint, an individual using the online moniker “Ekranoplan” recently claimed on a hacker forum that they had obtained a decryption key for the REvil ransomware. The individual posted a GitHub link pointing to a screenshot containing the key.

Ekranoplan wrote in Russian that the key was provided by their “parent company” and it should work for all REvil victims.

Flashpoint has tested the leaked key and confirmed that it can be used by victims of the Kaseya attack to recover files encrypted by the ransomware. The company is trying to determine to which extent it can be used by other victims.

Several people have confirmed on Twitter that the key works for decrypting files encrypted by the REvil variant used in the Kaseya attack. However, while the key may be useful for some other REvil victims as well, several researchers said it does not appear to be a universal decryptor that works for all versions of the ransomware.

While the decryption key might still be useful to some victims, organizations hit by the Kaseya attack should have received a universal decryptor from Kaseya itself last month.

The IT management software maker discovered in early July that cybercriminals had exploited vulnerabilities in one of its products to deliver ransomware to MSPs and their customers. The incident affected between 800 and 1,500 organizations, according to Kaseya.

The individuals behind the attack initially offered a universal decryptor that could be used by all Kaseya victims for $70 million, and the amount was later reportedly brought down to $50 million. However, the cybercriminals do not appear to have earned too much money as the ransomware in many cases failed to delete backups before encrypting files. In addition, they did not steal information from victims, as they did in previous attacks.

Roughly three weeks after the attack came to light, Kaseya said it had obtained a universal decryptor and started distributing it to affected customers. The company said it got the decryptor from a trusted third-party and denied paying any money to the cybercriminals.

The gang behind the REvil ransomware went offline shortly after the Kaseya attack, but a potential successor, called BlackMatter, has already emerged.

Related: Continuous Updates: Everything You Need to Know About the Kaseya Ransomware Attack

Related: Emails Offering Kaseya Patches Deliver Malware

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...