Bitdefender has released a free master REvil ransomware decryptor that allows previous victims of REvil ransomware to recover their files for free. The REvil master ransomware decryptor tool was developed in conjunction with an unnamed “trusted law enforcement partner.” Bitdefender has not disclosed any details about the partner or how the master keys to decrypt files were obtained. Bitdefender said the master decryptor will allow files encrypted by the prolific ransomware gang prior to July 13, 2021 to be decrypted free of charge.
REvil ransomware, aka Sodinokibi, appeared shortly after another prolific ransomware operation – GandCrab – was shut down, leading security experts to believe REvil was the successor to GandCrab. REvil has been extensively used in attacks since 2019, with the most recent attacks including JBS Foods and Kaseya. The later attack was extensive, not only impacting Kaseya but also around 60 managed service providers and an estimated 1,500 downstream businesses.
REvil went silent on July 13, 2021, just a few days after President Biden demanded Russian President Putin take action to stop ransomware gangs operating out of Russia. Ranomware gangs faced increased pressure following several high profile attacks, including the one conducted by the Darkside ransomware gang on Colonial Pipeline, which resulted in the fuel pipeline serving the East Coast of the United States being taken out of action for a week. Following that attack, the Darkside ransomware gang also shut down operations.
When the REvil servers and data leak site went dark, it was presumed the gang had decided to lay low for a while due to the increased heat and political pressure or that there had been a law enforcement takedown of its servers. No law enforcement agency has claimed responsibility for such a takedown, and recently an FBI official said Russia is not cooperating with the U.S. to deal with the ransomware threat.
After the attack on Kaseya, the company was provided with a decryptor which allowed MSPs and businesses affected by the attack to recover their files for free. The decryptor provided to Kaseya only worked for victims of that single attack and was not a master decryptor that allowed all victims to recover. It is unclear where that decryptor came from.
Usually when a ransomware operation shuts down, a master decryptor is released by the gang to allow past victims to recover. In this case, REvil went quiet and no master decryptor was released. It is not yet known how Bitdefender obtained the key, and whether this was released by the gang or was obtained as part of a law enforcement operations.
Bitdefender said, “Both parties believe it is important to release the universal decryptor before the investigation is completed to help as many victims as possible.”
The REvil Decryptor can be downloaded from Bitdefender here, with step by step instructions on using the decryptor available here.