Bitdefender released free REvil ransomware decryptor that works for past victims

Researchers from Bitdefender released a free master decryptor for the REvil ransomware operation that allows past victims to recover their files for free.

Good news for the victims of REvil ransomware gangs that were infected before the operations were temporarily halted on July 13th, Bitdefender released a free master decryptor that allows them to recover their files for free.

On July 2, the REvil gang hit the Kaseya cloud-based MSP platform impacting MSPs and their customers.

The REvil ransomware operators initially compromised the Kaseya VSA’s infrastructure, then pushed out malicious updates for VSA on-premise servers to deploy ransomware on enterprise networks.

The group asked $70 million worth of Bitcoin for decrypting all systems impacted in the Kaseya supply-chain ransomware attack.

The attack caught the attention of the media and the police authorities that increased pressure on the group.

Starting from July 13, the infrastructure and the websites used by the REvil ransomware gang were mysteriously unreachable. The Tor leak site, the payment website “decoder[.]re”, and their backend infrastructure went offline simultaneously.

Bitdefender developed the decryptor with the help of a law enforcement partner that provided the company decryption keys.

“Bitdefender announced the availability of a universal decryptor for REvil/Sodinokibi. Created in collaboration with a trusted law enforcement partner, this tool helps victims encrypted by REvil ransomware to restore their files and recover from attacks made before July 13, 2021.” reads the announcement published by Bitdefender. “We believe new REvil attacks are imminent after the ransomware gang’s servers and supporting infrastructure recently came back online after a two month hiatus.”

The security firm did not provide additional details because there is an ongoing investigation, it also warns of imminent attacks by the REvil gang.

The victims of the group can download the decryptor from Bitdefender for free to recover their encrypted files, the security firm also published a step-by-step tutorial on how to use the REvil decryption tool.

The REvil ransomware group has been active since 2019, it targeted several high profile organizations, including Coop, JBS, and Travelex.

On September 7, the servers of the REvil ransomware gang were back online after around two months since their shutdown. The circumstance was immediately noted by many researchers, me too. The dark web leak site of the ransomware gang, also known as the Happy Blog, is back online, while the site decoder[.]re is still offline at the time of this writing.

It was not clear if the REvil gang resumed its operations or if the servers were turned on by law enforcement.

Now we can confirm that the REvil ransomware gang has fully resumed its operations, the group is targeting news victims and leaking stolen files.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, REvil ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]