Early July, a massive REvil ransomware attack affects multiple managed service providers and their clients through a reported Kaseya supply-chain attack.

The attackers delivered the REvil ransomware, which encrypted files on compromised systems and asked victims to pay a ransom to recover them. However, victims that have not already paid up will now get help from Kaseya, after the company obtained a “universal decryptor key.”

“We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor,” Kaseya said.

it’s unclear how Kaseya got the decryptor, but the company said it was obtained from a “trusted third party.” Cybersecurity company Emsisoft verified the decryptor and confirmed that it works properly, Kaseya said.

Yesterday, security researcher Pancak3 told BleepingComputer that someone posted a screenshot of what they claimed was a universal REvil decryptor on a hacking forum.

This post linked to a screenshot on GitHub that showed a REvil decryptor running while displaying a base64 hashed ‘master_sk’ key. This key is ‘OgTD7co7NcYCoNj8NoYdPoR8nVFJBO5vs/kVkhelp2s=’, as shown below.

When REvil ransomware victims pay a ransom, they receive either a decryptor that works for a single encrypted file extension or a universal decryptor that works for all encrypted file extensions used in a particular campaign or attack.

The screenshot above is for a universal REvil decryptor that can decrypt all extensions associated with the attack.

READ
Ford Investigates Potential Data Breach Involving 44,000 Customer Records

To be clear, while it was originally thought that the decryption key in this screenshot might be the master ‘operator’ key for all REvil campaigns, BleepingComputer has confirmed that it is only the universal decryptor key for victims of the Kaseya attack.

This was also confirmed by Emsisoft CTO and ransomware expert Fabian Wosar.

However, BleepingComputer was told by numerous sources in the cybersecurity intelligence industry that they believe that the poster is affiliated with the REvil ransomware gang rather than a victim.