Universal decryptor released for past victims of REvil ransomware group

A JBS processing plant stands dormant after halting operations on June 1, 2021, in Greeley, Colo. JBS facilities around the globe were impacted by a ransomware attack, forcing many of their facilities to shut down. (Photo by Chet Strange/Getty Images)

Victims who have been unable to recover all of their data locked by the REvil ransomware group got a big assist Thursday, as Bitdefender announced the release of a free, universal decryption key to restore their files. 

Bitdefender announced on its blog that the tool was created in conjunction with an unnamed law enforcement partner and restores files from attacks before July 13, 2021. While Bitdefender noted that the investigation with law enforcement is ongoing, both parties believed it was important to release the decryptor to help as many victims as possible.  

“We believe new REvil attacks are imminent after the ransomware gang’s servers and supporting infrastructure recently came back online after a two month hiatus,” Bitdefender wrote in the post. “We urge organizations to be on high alert and to take necessary precautions.”

The decryption key’s release comes shortly after activity suggests that the REvil ransomware group has resumed its attacks after months offline. 

The group’s leaks site, “Happy Blog,” last week began posting new samples of its malware, as well as proof of breaches. SC Media reported that cybersecurity firm Mandiant noticed a new victim was added to Happy Blog for the first time since its relaunch on Sept. 11. 

"On the same day that these sites reemerged, a message was shared with REvil affiliates stating that the infrastructure had previously been turned off and moved to other servers for safety reasons," Kimberly Goody, director of Mandiant’s financial crime analysis, told SC Media via email. "The threat actor who posted the announcement also highlighted various, minor updates to the SODINOKIBI ransomware.”

REvil’s resources, including payment sites, went dormant suddenly in July after earlier high-profile attacks on IT software company Kaseya and food processing company JBS.

Kaseya was hit with ransomware over the July 4 weekend and later confirmed it obtained a decryption key from a third party for users of its VSA remote monitoring product. Kaseya did not disclose how it obtained the decryptor, but it denied paying a ransom. SC Media previously reported that Kaseya believed between 50 and 60 total customers were victims of the REvil outbreak, but with a large MSP client base, around 1,500 total downstream businesses were ultimately infected.

Companies affected by REvil ransomware prior to July 13 can download and follow a tutorial on how to use the decryption tool at Bitdefender's blog.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.