A key that can be used to decrypt files encrypted by the REvil ransomware delivered as part of the Kaseya attack has been made public.
According to threat intelligence company Flashpoint, an individual using the online moniker “Ekranoplan” recently claimed on a hacker forum that they had obtained a decryption key for the REvil ransomware. The individual posted a GitHub link pointing to a screenshot containing the key.
Ekranoplan wrote in Russian that the key was provided by their “parent company” and it should work for all REvil victims.
Flashpoint has tested the leaked key and confirmed that it can be used by victims of the Kaseya attack to recover files encrypted by the ransomware. The company is trying to determine to which extent it can be used by other victims.
Several people have confirmed on Twitter that the key works for decrypting files encrypted by the REvil variant used in the Kaseya attack. However, while the key may be useful for some other REvil victims as well, several researchers said it does not appear to be a universal decryptor that works for all versions of the ransomware.
While the decryption key might still be useful to some victims, organizations hit by the Kaseya attack should have received a universal decryptor from Kaseya itself last month.
The IT management software maker discovered in early July that cybercriminals had exploited vulnerabilities in one of its products to deliver ransomware to MSPs and their customers. The incident affected between 800 and 1,500 organizations, according to Kaseya.
The individuals behind the attack initially offered a universal decryptor that could be used by all Kaseya victims for $70 million, and the amount was later reportedly brought down to $50 million. However, the cybercriminals do not appear to have earned too much money as the ransomware in many cases failed to delete backups before encrypting files. In addition, they did not steal information from victims, as they did in previous attacks.
Roughly three weeks after the attack came to light, Kaseya said it had obtained a universal decryptor and started distributing it to affected customers. The company said it got the decryptor from a trusted third-party and denied paying any money to the cybercriminals.
The gang behind the REvil ransomware went offline shortly after the Kaseya attack, but a potential successor, called BlackMatter, has already emerged.
Related: Continuous Updates: Everything You Need to Know About the Kaseya Ransomware Attack
Related: Emails Offering Kaseya Patches Deliver Malware
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
Latest News
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
- Sysdig Introduces CNAPP With Realtime CDR
- Stay Focused on What’s Important
- VMware Plugs Critical Flaws in Network Monitoring Product
- Google Patches Third Chrome Zero-Day of 2023
