Universal decryptor released for past REvil ransomware victims

Romanian cybersecurity firm Bitdefender has published today a universal decryption utility that will be able to help past victims of the REvil (Sodinokibi) ransomware gang recover their encrypted files — if they still have them.

Made available through the company's research blog, Bitdefender said the decryptor was developed "in collaboration with a trusted law enforcement partner."

The company said it couldn't elaborate more, citing an ongoing law enforcement investigation.

The tool can recover files encrypted during REvil attacks made before July 13, 2021, Bitdefender said.

The date is when the REvil ransomware gang shut down its web servers following veiled threats and political pressure applied by the White House on its Russian counterparts following the massive attack on Kaseya servers that took place during the July 4th holiday weekend.

Besides taking down servers that were used to orchestrate attacks, manage payment negotiations, and leak victim data, the gang also deleted profiles on dark web forums.

But on September 7, after a two-month hiatus, the group returned online. REvil operators spun up their old sites, created new profiles on forums, and within two days were carrying out new intrusions, according to Avast and AdvIntel.

While in posts on hacking forums, the REvil gang said their two-month-long downtime had been caused by the disappearance of Unknown, its public spokesperson and one of their operation's leader, in an interview with Russian news outlet Lenta, one of REvil's former collaborators (known as an affiliate) said that in reality, the group only took a break, citing "political reasons."

Citing REvil's return, Bitdefender said that they and law enforcement officials believed it was "important to release the universal decryptor before the investigation is completed to help as many victims as possible."

This is not Bitdefender's first dance with the REvil gang, either. In June 2019, the security firm also released decryption utilities for the GandCrab ransomware, the initial ransomware operation from which the REvil gang evolved.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.