Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service

Good News: REvil Ransomware Victims Get Free Decryptor

Many Files Crypto-Locked Before July 13 Unlockable via Free Bitdefender Decryptor
Good News: REvil Ransomware Victims Get Free Decryptor
Free decryptor for files encrypted by REvil/Sodinokibi prior to July 13, 2021 (Source: Bitdefender)

Score one for the good guys in the fight against ransomware: Anyone who fell victim to REvil, aka Sodinokibi, crypto-locking malware before July 13 can now decrypt their files for free.

See Also: Webinar | 2023 OT Cybersecurity Year in Review: Lessons Learned from the Frontlines

On Thursday, antivirus vendor Bitdefender released a free decryptor for REvil, which first began operating in April 2019.

The free decryptor is also available for download via the No More Ransom project, which is a public-private collaboration involving multiple private security firms, as well as Dutch cybercrime police and the EU's law enforcement intelligence agency, Europol.

The operating instructions for the free decryptor note that "some versions" of REvil won't be decryptable.

By this, Bitdefender means the decryptor only works with prior attacks. "This specification refers to the fact that our tool can decrypt ransomware attacks that occurred until July 13," Bogdan Botezatu, director of threat research and reporting at Bitdefender, tells Information Security Media Group. "Also, with the REvil team back in business, we expect that they will rotate keys, so our decryptor will not be effective for future attacks. This is 'business as usual' in the fight against ransomware."

But the existence of a free decryptor means that past victims of REvil who chose to not pay a ransom, yet who may not have been able to successfully restore all of their crypto-locked files from backups, should be able to get their data back.

How Free Decryptors Get Built

This is far from the first time that a free decryptor has been released to help ransomware victims.

Indeed, for more than five years, No More Ransom has been helping to gather such decryptors for public use. Bitdefender, Emsisoft and other firms continue to develop such decryptors. These efforts are aided by ransomware operations calling it quits and releasing all their keys, as Avaddon did in June (see: 'Fear' Likely Drove Avaddon's Exit From Ransomware Fray).

Or sometimes, researchers find weaknesses that they can exploit to forcibly decrypt files, as they did with REvil's predecessor GandCrab. Unfortunately, attackers will typically rapidly update their code to eliminate the flaws, since free decryptors undercut their criminal business model.

Finally, some decryptors result from police infiltrating criminal infrastructure or arresting administrators, giving them access to all of the decryption keys, which they pass on to security researchers to build free decryptors.

The free Sodinokibi/REvil decryptor is also available via the No More Ransom project.

REvil Probe is 'Ongoing Investigation'

How Bitdefender was able to obtain the REvil decryption keys necessary to write this decryptor remains unclear.

"Please note this is an ongoing investigation and we can't comment on details related to this case until authorized by the lead investigating law enforcement partner," Bitdefender says. "Both parties believe it is important to release the universal decryptor before the investigation is completed to help as many victims as possible."

Bitdefender says that any REvil victims who have any problems with the decryptor should contact the company directly.

Reading between the lines, law enforcement authorities may have disrupted REvil's infrastructure, which went offline on July 13, and at the same time retrieved the key information from the operation's servers, says ransomware-hunting veteran Fabian Wosar, CTO of antivirus vendor Emsisoft.

REvil Went Dark in July

REvil's infrastructure going dark in July could instead have been its response to U.S. President Joe Biden pressing Russian President Vladimir Putin, at a June 17 summit in Geneva, to arrest criminals operating inside Russia's borders who were launching ransomware attacks abroad. The White House has also brought more law enforcement and intelligence resources to bear to track and potentially disrupt transnational cybercrime groups.

REvil has been a big focus because the group continues to dominate the ransomware attack landscape.

Ransomware incident response firm Coveware, based on thousands of cases that it helped investigate from April through June, says REvil was the most prevalent strain of ransomware that it saw. The group gained extra notoriety after attacking meat processing giant JBS in May, which paid the group an $11 million ransom. Over the July 4 holiday weekend, REvil unleashed an attack via Miami-based remote management software firm Kaseya's remote management software, which is used by a number of managed service providers. Approximately 1,500 of those MSPs' clients ended up infected with REvil ransomware.

Later, however, Kaseya somehow obtained a universal decryptor for victims infected via its software. The firm did not specify how, except to note that it had paid no ransom. Subsequently, the universal decryptor for the Kaseya attack was posted to the Russian-language XSS cybercrime forum.

Emsisoft's Wosar told ISMG in 2019 that one innovation introduced by REvil, based on demand from GandCrab users, was the ability to more easily hit MSPs' customers, and more easily ransom - including decrypt - what might be dozens, hundreds or more individual victims, all of which could be managed with a single, universal decryptor for that attack (see: Sodinokibi Ransomware Gang Appears to Be Making a Killing).

REvil Claims User Error Aided Kaseya Recovery

In a Sept. 10 post to the Russian-language cybercrime forum Exploit, a representative for REvil claimed that a user error had resulted in the operation accidentally sharing a universal decryptor with a victim of its Kaseya attack who had paid a ransom.

Screenshot of REvil's registration on the Exploit forum, as seen on Sept. 9, 2021 (Source: Flashpoint)

"Our encryption process allows us to generate either a universal decryptor key or individual keys for each machine. Then, in the process of generating the keys, we had to generate between 20 and 500 decryption keys for each [individual] victim [because the victims of the Kaseya attack all had networks of different sizes]. One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine," a forum user named "REvil" posted, according to a translation from threat intelligence firm Flashpoint.

Whether this is true remains unknown.

"Forum posts should be taken with a pinch of salt," Brett Callow, a threat analyst at Emsisoft, tells ISMG. "The criminals know the forums are being monitored and so effectively use them as a press release service. They say what they want us to know. No more, no less."

Note that the universal key is separate to what researchers call a master key.

As Yelisey Boguslavskiy, head of research at Advanced Intelligence, told Threatpost, a master key would be held only by REvil's top administrators, and could be used to generate a decryptor for any infection created by the group's malware. Boguslavskiy said that security researchers have "never seen this key before."

REvil: Reloaded

Did REvil disappear because the Biden administration tasked U.S. Cyber Command to scuttle its infrastructure? Asked that question in late July, a White House official said that while the administration welcomed REvil having gone dark, it didn't know why the group's attacks had ceased.

White House officials have said they expected it would take at least six months to tell whether or not Moscow was taking Biden's request seriously, which he repeated to Putin in a July 9 phone call.

But at least thus far, some officials say they've seen no signs of action.

This week, FBI Deputy Director Paul Abbate said at the National Security Summit in National Harbor, Maryland, that "based on what we've seen, I would say there is no indication that the Russian government has taken action to crack down on ransomware actors that are operating in the permissive environment that they have created there," The Hill reported (see: Russia Has Taken No Action to Combat Ransomware, FBI Says).

Unfortunately, REvil has now returned. Its data leak server and payment portal came back online on Sept. 7 and payment countdown timers - before the attackers threatened to leak stolen data - have been reset. On Sept. 9, meanwhile, security experts spotted a new version of its crypto-locking malware had been uploaded to malware-scanning service VirusTotal, likely by a fresh target. In recent days, the group has listed one new victim on its data-leak site, as part of its attempt to extort it into paying a ransom.

Security experts anticipate REvil will ensure that the free decryptor that's been released won't interfere with future attacks. "We believe new REvil attacks are imminent after the ransomware gang’s servers and supporting infrastructure recently came back online after a two-month hiatus," Bitdefender says. "We urge organizations to be on high alert and to take necessary precautions."

Update 1

Editor's note, Sept. 18: Bitdefender says files encrypted by some versions of REvil that are above a certain size can be corrupted by its restoration tool. It's disabled the ability to decrypt files crypto-locked by these versions of REvil, while it prepares a fix. For anyone who uses the tool, also, "we strongly advise to check the 'backup files' option," the company says, to help prevent inadvertent data loss.

Update 2

Editor's note, Sept. 19: Wosar says the decryptor has been updated to fix the problem, and to add more functionality.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.