Bitdefender releases REvil decryptor as ransomware gang shows signs of return

Getty Images


Written by

As law enforcement braces for the revival of the REvil ransomware gang, a cybersecurity firm on Thursday released a free decryption tool for early victims of the criminals.

The decryptor, which Bitdefender developed in coordination with an unnamed law enforcement partner, will aid victims hit before July 13. The Romania-based company said it was still in the middle of an investigation with its partner, which agreed to release the decryptor before completing the joint inquiry to help as many victims as possible. Bitdefender has a long history of working with Europol to release tools that help victims of digital extortion sidestep the process of making a payment.

“We believe new REvil attacks are imminent after the ransomware gang’s servers and supporting infrastructure recently came back online after a two month hiatus,” Bitdefender wrote in a blog post.

According to another cybersecurity firm, Flashpoint, REvil is already fully back in business. It would mark a quick turnaround for one of the most successful ransomware gangs, which disappeared after headline-making attacks on meat supplier JBS and software company Kaseya.

It’s not the first time law enforcement has been invoked in relation to a REvil-related decryptor. Kaseya made a decryptor available to companies hit with ransomware after REvil penetrated the software firm, but wouldn’t say how it obtained it.

According to Flashpoint, someone affiliated with the gang posted on the Exploit cybercrime forum on Sept. 9 to offer their own explanation.

“The threat actor operating under the alias ‘REvil’ on Exploit explained that the Kaseya key was leaked by law enforcement agencies due to human error during the key generation process,” Flashpoint wrote.

The same underground forum poster elaborated the following day.

“Our encryption process allows us to generate either a universal decryptor key or individual keys for each machine,” according to Flashpoint’s translation from Russian. “Then, in the process of generating the keys, we had to generate between 20 and 500 decryption keys for each [individual] victim [because the victims of the Kaseya attack all had networks of different sizes]. One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine. That’s how we shit ourselves.”

It’s more than cyber firms and unnamed law enforcement agencies closely watching whether Russian ransomware gangs are on the mend. Top U.S. officials in recent days have spoken of unspecified operations against those gangs, as well as speculated about when they might return and how.

-In this Story-

Bitdefender, Flashpoint, ransomware, REvil, Russia