A key that can be used to decrypt files encrypted by the REvil ransomware delivered as part of the Kaseya attack has been made public.
According to threat intelligence company Flashpoint, an individual using the online moniker “Ekranoplan” recently claimed on a hacker forum that they had obtained a decryption key for the REvil ransomware. The individual posted a GitHub link pointing to a screenshot containing the key.
Ekranoplan wrote in Russian that the key was provided by their “parent company” and it should work for all REvil victims.
Flashpoint has tested the leaked key and confirmed that it can be used by victims of the Kaseya attack to recover files encrypted by the ransomware. The company is trying to determine to which extent it can be used by other victims.
Several people have confirmed on Twitter that the key works for decrypting files encrypted by the REvil variant used in the Kaseya attack. However, while the key may be useful for some other REvil victims as well, several researchers said it does not appear to be a universal decryptor that works for all versions of the ransomware.
While the decryption key might still be useful to some victims, organizations hit by the Kaseya attack should have received a universal decryptor from Kaseya itself last month.
The IT management software maker discovered in early July that cybercriminals had exploited vulnerabilities in one of its products to deliver ransomware to MSPs and their customers. The incident affected between 800 and 1,500 organizations, according to Kaseya.
The individuals behind the attack initially offered a universal decryptor that could be used by all Kaseya victims for $70 million, and the amount was later reportedly brought down to $50 million. However, the cybercriminals do not appear to have earned too much money as the ransomware in many cases failed to delete backups before encrypting files. In addition, they did not steal information from victims, as they did in previous attacks.
Roughly three weeks after the attack came to light, Kaseya said it had obtained a universal decryptor and started distributing it to affected customers. The company said it got the decryptor from a trusted third-party and denied paying any money to the cybercriminals.
The gang behind the REvil ransomware went offline shortly after the Kaseya attack, but a potential successor, called BlackMatter, has already emerged.
Related: Continuous Updates: Everything You Need to Know About the Kaseya Ransomware Attack

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
Latest News
- Sentra Raises $30 Million for DSPM Technology
- Cyber Insights 2023: Cyberinsurance
- Cyber Insights 2023: Attack Surface Management
- Cyber Insights 2023: Artificial Intelligence
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- Guardz Emerges From Stealth Mode With $10 Million in Funding
- How the Atomized Network Changed Enterprise Protection
- Critical QNAP Vulnerability Leads to Code Injection
