The free decryption tool will help victims restore their encrypted files from attacks made before July 13, 2021, says Bitdefender.
Organizations that were compromised by REvil ransomware can now download and run a free tool to decrypt their hijacked files. In a blog post published Thursday, security firm Bitdefender announced the availability of a universal decryptor for REvil/Sodinokibi ransomware attacks. Revealing that it created the tool in partnership with a trusted law enforcement entity, Bitdefender said the decryptor is designed to help victims of this brand of ransomware recover any encrypted files from attacks that occurred before July 13, 2021.
SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)
Affected organizations can download the decryptor directly from a link at the end of Bitdefender’s blog post. A link for a step-by-step tutorial on how to use the decryption tool is accessible from the same post.
After installation, the tool scans an entire computer or a specific folder for encrypted files. It then decrypts any such files that it finds. You can install and run the tool on a single computer. Alternatively, you can run it silently across your network or on a remote machine through a command line process.
Bitdefender didn’t reveal much about its involvement with the tool, noting that this matter concerns an ongoing investigation and that it can’t disclose any details until authorized by the lead investigating law enforcement partner. But it said that both parties felt it important to release the decryptor before the investigation is finished in order to help as many victims as possible.
After launching a series of vicious ransomware attacks since 2019, the criminals behind the REvil/Sodinokibi ransomware staged one of their most infamous capers. On July 3, enterprise IT firm Kaseya revealed a successful cyberattack against its VSA product, a program used by Managed Service Providers (MSPs) to remotely monitor and administer IT services for customers. Given the supply chain nature of Kaseya’s business, more than 1,000 businesses around the world saw their data encrypted due to the attack.
Proudly taking credit for the crime, REvil claimed in its “Happy Blog” that more than 1 million systems had been infected. The gang also devised an interesting offer that would impact all victims of its ransomware. In exchange for $70 million worth of bitcoin, REvil would provide a universal decryptor through which all affected companies could recover their files.
A few weeks later, Kaseya announced that it had acquired a universal decryptor key for recent victims of REvil. The company didn’t reveal any details as to how or where the decryptor was obtained other than to say that it came from a trusted third party.
But in another twist to this saga, about a week before Kaseya came up with the universal decryptor, REvil went off the grid. The group’s Happy Blog went offline as did its payment and negotiation site. The disappearance of the latter actually put victims in a lurch as they no longer had a clear way to deal with the gang or pay the ransom if they chose to do so.
“On July 13 of this year, parts of REvil’s infrastructure went offline, leaving infected victims who had not paid the ransom unable to recover their encrypted data,” Bitdefender said in its post. “This decryption tool will now offer those victims the ability to take back control of their data and assets.”
But the story is far from over. Last week, REvil appeared to come back to life following a two-month break. Both the Happy Blog and the payment and negotiation site popped up online once again. Whether or not this means the group is back in business is unknown. But the folks at Bitdefender advise people not to let their guard down.
“We believe new REvil attacks are imminent after the ransomware gang’s servers and supporting infrastructure recently came back online after a two-month hiatus,” Bitdefender said. “We urge organizations to be on high alert and to take necessary precautions.”