Early July, a massive REvil ransomware attack affects multiple managed service providers and their clients through a reported Kaseya supply-chain attack.
The attackers delivered the REvil ransomware, which encrypted files on compromised systems and asked victims to pay a ransom to recover them. However, victims that have not already paid up will now get help from Kaseya, after the company obtained a “universal decryptor key.”
“We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor,” Kaseya said.
it’s unclear how Kaseya got the decryptor, but the company said it was obtained from a “trusted third party.” Cybersecurity company Emsisoft verified the decryptor and confirmed that it works properly, Kaseya said.
Yesterday, security researcher Pancak3 told BleepingComputer that someone posted a screenshot of what they claimed was a universal REvil decryptor on a hacking forum.
This post linked to a screenshot on GitHub that showed a REvil decryptor running while displaying a base64 hashed ‘master_sk’ key. This key is ‘OgTD7co7NcYCoNj8NoYdPoR8nVFJBO5vs/kVkhelp2s=’, as shown below.
When REvil ransomware victims pay a ransom, they receive either a decryptor that works for a single encrypted file extension or a universal decryptor that works for all encrypted file extensions used in a particular campaign or attack.
The screenshot above is for a universal REvil decryptor that can decrypt all extensions associated with the attack.
To be clear, while it was originally thought that the decryption key in this screenshot might be the master ‘operator’ key for all REvil campaigns, BleepingComputer has confirmed that it is only the universal decryptor key for victims of the Kaseya attack.
This was also confirmed by Emsisoft CTO and ransomware expert Fabian Wosar.
The REvil hardcoded operator public key is 79CD20FCE73EE1B81A433812C156281A04C92255E0D708BB9F0B1F1CB9130635. The leaked key generates public key F7F020C8BBD612F8966EFB9AC91DA4D10D78D1EF4B649E61C2B9ADA3FCC2C853. Therefore, the leaked key is not the operator private key.
— Fabian Wosar (@fwosar) August 11, 2021
However, BleepingComputer was told by numerous sources in the cybersecurity intelligence industry that they believe that the poster is affiliated with the REvil ransomware gang rather than a victim.
Bijay Pokharel
Related posts
Recent Posts
Subscribe
Cybersecurity Newsletter
You have Successfully Subscribed!
Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox. You are also consenting to our Privacy Policy and Terms of Use.