Cyber security software supplier BitDefender has released a universal decryptor for the REvil ransomware, enabling victims of attacks made before 13 July 2021 to restore their files without paying off the cyber criminals.
Developed with assistance from an undisclosed law enforcement partner, the decryption tool can be downloaded from BitDefender’s website for free, along with a step-by-step tutorial on how to use it.
Alongside the unnamed partner, the Romania-headquartered firm is currently engaged in an ongoing investigation into REvil and is unable to comment on specific details relating to the case until authorised to do so by the leaders of the investigation.
However, it said all concerned believed it was important to release the universal decryptor before the completion of the investigation to help as many victims as possible.
Bogdan Botezatu, director of threat research and reporting at BitDefender, told Computer Weekly it was not clear how many victims might be able to take advantage of the tool. “It is next to impossible to estimate how many victims REvil has managed to infect,” he said. “This is because not all victims report infections or reach out for support.”
Decryptors provided by the REvil gang in the past have gained a reputation for being slow and unreliable, leaving many victims not much better off, but Botezatu said that because the new tool had been developed from scratch, it could be used in confidence.
“The decryptor is safe to use and follows industry standards in software development,” he explained. “The decryptor has been thoroughly tested and our labs offer software support for users and companies who may encounter issues during decryption.
“Until now, our decryptors have saved organisations more than $100m in ransoms, helped rescue critical data and kept organisations around the world open for business,” he added.
REvil, which disappeared in mysterious circumstances in July 2021, possibly after its blockbuster cyber attack on Kaseya brought unwelcome heat from law enforcement, reactivated much of its infrastructure earlier this month.
Bogdan Botezatu, BitDefender
Last week, researchers at risk intelligence specialist Flashpoint reported that REvil was fully operational once again, with a supposed representative appearing on the Exploit cyber crime forum. According to social media chatter, the group is already conducting new cyber attacks and publishing new victims to its dark web leak site, the so-called Happy Blog.
According to Flashpoint, those behind REvil are also currently trying to mend fences with their peers – their sudden disappearance having upset many affiliates who believe they were left in the lurch.
In an Exploit post – translated from Russian by Flashpoint – the supposed group member revealed that human error on a coder’s part had resulted in the accidental release of a universal decryptor key for victims of the Kaseya attack. “That’s how we s**t ourselves,” they said.
They added: “No one was scammed. We are in contact with our affiliates, we aren’t hiding anything.”
BitDefender, for its part, said REvil was likely still highly dangerous, and urged organisations to be on high alert for renewed attacks and to take precautions against them.
“We’re monitoring the re-emergence of the REvil group but we are not able to provide more context at this point in the investigation. We are constantly working on new decryptors and partnering with law enforcement agencies to offer users unconditional, free access to ransomware decryption tools,” said Botezatu.
The National Cyber Security Centre’s guidance on responding to and mitigating the impact of a ransomware attack can be read in full here.