Connect with us

Hi, what are you looking for?


Malware & Threats

Decryption Key for Ransomware Delivered via Kaseya Attack Made Public

A key that can be used to decrypt files encrypted by the REvil ransomware delivered as part of the Kaseya attack has been made public.

A key that can be used to decrypt files encrypted by the REvil ransomware delivered as part of the Kaseya attack has been made public.

According to threat intelligence company Flashpoint, an individual using the online moniker “Ekranoplan” recently claimed on a hacker forum that they had obtained a decryption key for the REvil ransomware. The individual posted a GitHub link pointing to a screenshot containing the key.

Ekranoplan wrote in Russian that the key was provided by their “parent company” and it should work for all REvil victims.

Flashpoint has tested the leaked key and confirmed that it can be used by victims of the Kaseya attack to recover files encrypted by the ransomware. The company is trying to determine to which extent it can be used by other victims.

Several people have confirmed on Twitter that the key works for decrypting files encrypted by the REvil variant used in the Kaseya attack. However, while the key may be useful for some other REvil victims as well, several researchers said it does not appear to be a universal decryptor that works for all versions of the ransomware.

While the decryption key might still be useful to some victims, organizations hit by the Kaseya attack should have received a universal decryptor from Kaseya itself last month.

The IT management software maker discovered in early July that cybercriminals had exploited vulnerabilities in one of its products to deliver ransomware to MSPs and their customers. The incident affected between 800 and 1,500 organizations, according to Kaseya.

Advertisement. Scroll to continue reading.

The individuals behind the attack initially offered a universal decryptor that could be used by all Kaseya victims for $70 million, and the amount was later reportedly brought down to $50 million. However, the cybercriminals do not appear to have earned too much money as the ransomware in many cases failed to delete backups before encrypting files. In addition, they did not steal information from victims, as they did in previous attacks.

Roughly three weeks after the attack came to light, Kaseya said it had obtained a universal decryptor and started distributing it to affected customers. The company said it got the decryptor from a trusted third-party and denied paying any money to the cybercriminals.

The gang behind the REvil ransomware went offline shortly after the Kaseya attack, but a potential successor, called BlackMatter, has already emerged.

Related: Continuous Updates: Everything You Need to Know About the Kaseya Ransomware Attack

Related: Emails Offering Kaseya Patches Deliver Malware

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.