Decryptor for REvil Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 21 Apr 2022 21:07:41 +0000 en-US hourly 1 https://wordpress.org/?v=85050 200474804 FBI Kept Secret Key To Decrypt Data After REvil Attacks https://gridinsoft.com/blogs/fbi-kept-secret-key-to-decrypt-data-after-revil-attacks/ https://gridinsoft.com/blogs/fbi-kept-secret-key-to-decrypt-data-after-revil-attacks/#respond Wed, 22 Sep 2021 16:11:48 +0000 https://blog.gridinsoft.com/?p=5948 Journalists of The Washington Post found out how the FBI obtained the key to decrypt the data, which was affected in the attacks of the REvil ransomware. First, should be recalled that the background of what is happening: last week Bitdefender published a universal utility for decrypting files affected by the attacks of the ransomware… Continue reading FBI Kept Secret Key To Decrypt Data After REvil Attacks

The post FBI Kept Secret Key To Decrypt Data After REvil Attacks appeared first on Gridinsoft Blog.

]]>
Journalists of The Washington Post found out how the FBI obtained the key to decrypt the data, which was affected in the attacks of the REvil ransomware.

First, should be recalled that the background of what is happening: last week Bitdefender published a universal utility for decrypting files affected by the attacks of the ransomware REvil (Sodinokibi). The tool works for any data encrypted before July 13, 2021.

At the time, experts reported that the tool was created in collaboration with “trusted law enforcement partners,” but the company declined to disclose any details, citing an ongoing investigation. According to people familiar with the matter, the partner was not the FBI.

July 13 is mentioned above for a reason, as on this day the entire REvil infrastructure went offline without explanation. The hacker group completely “disappeared from the radar” for a while, and as a result, many companies were left without the ability to recover their data, even if they were willing to pay the hackers a ransom.

It is important that not long before this, in early July 2021, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. As a result, the cybercriminals deployed the ransomware in thousands of corporate networks, and law enforcement agencies and authorities became very interested in hackers.

Then, when the group had already “disappeared”, representatives of the injured Kaseya unexpectedly announced that they had a universal key to decrypt customer data. Then the company refused to disclose where this tool came from, limiting itself to a vague “from a trusted third party.”

However, the company assured that it is universal and suitable for all affected MSPs and their clients. Moreover, before sharing the tool with clients, Kaseya required them to sign a non-disclosure agreement.

As the Washington Post now reports, the assumptions of many cybersecurity experts were correct: Kaseya really received the key from the FBI representatives. Law enforcement officials say they infiltrated the servers of the hack group and extracted a key from there, which ultimately helped to decrypt data and 1,500 networks, including in hospitals, schools and enterprises.

However, the FBI did not immediately share the key with the victims and the company. For about three weeks, the FBI kept the key secret, intending to carry out an operation to eliminate the hack group and not wanting to reveal their cards to the criminals. But the law enforcement officers did not have time: as a result, the REvil infrastructure went offline before the operation began. Then Kaseya was given the key to decrypt the data, and Emsisoft experts prepared a special tool for the victims.

We make these decisions collectively, not unilaterally. These are challenging decisions designed to have maximum impact, and fighting such adversaries takes time, which we spend on mobilizing resources not only across the country but around the world.FBI Director Christopher Ray told Congress.

Journalists note that due to the resulting delay, it was already too late for many of the victims. For example, the publication quotes a representative of JustTech, which is one of the clients of MSP Kaseya.

The company spent more than a month restoring the systems of its customers, as restoring from backups or replacing the system is an expensive and time-consuming process:

There were more and more people who cried on the phone, asking how to continue their work. One person said, “Should I just retire? Should I just fire all my employees?.

Swedish grocery chain Coop, also affected by the attack, said it still does not know how much it would cost to temporarily close its stores:

We had to close about 700 stores and it took six days for all of them to reopen. The financial impact of what happened depends on several factors, including lost sales, as well as insurance, and the extent to which it will cover what happened.

The post FBI Kept Secret Key To Decrypt Data After REvil Attacks appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/fbi-kept-secret-key-to-decrypt-data-after-revil-attacks/feed/ 0 5948
Added utility for decrypting data after REvil attacks https://gridinsoft.com/blogs/added-utility-for-decrypting-data-after-revil-attacks/ https://gridinsoft.com/blogs/added-utility-for-decrypting-data-after-revil-attacks/#respond Fri, 17 Sep 2021 16:13:51 +0000 https://blog.gridinsoft.com/?p=5934 The Romanian company Bitdefender has published a universal utility for decrypting data affected by REvil (Sodinokibi) ransomware attacks. The tool works for any data encrypted before July 13, 2021. However, the company has so far refused to provide any details, citing an ongoing investigation. Let me remind you that on July 13 of this year… Continue reading Added utility for decrypting data after REvil attacks

The post Added utility for decrypting data after REvil attacks appeared first on Gridinsoft Blog.

]]>
The Romanian company Bitdefender has published a universal utility for decrypting data affected by REvil (Sodinokibi) ransomware attacks.

The tool works for any data encrypted before July 13, 2021.

However, the company has so far refused to provide any details, citing an ongoing investigation.

Let me remind you that on July 13 of this year the entire REvil infrastructure went offline without explanation. Then it was a question of shutting down an entire network of regular and darknet sites that were used to negotiate a ransom, drain data stolen from victims, as well as the internal infrastructure of the ransomware.

Not long before that, in early July 2021, REvil operators carried out a large-scale attack on the customers of the well-known MSP solution provider Kaseya. As a result, the cybercriminals deployed the ransomware in thousands of corporate networks. In addition, shortly before the attack on customers, Kaseya REvil hit the front pages of many publications as it attacked JBS, the world’s largest supplier of beef and poultry, as well as the second largest producer of pork. The company operates in the USA, Australia, Canada, Great Britain and so on, serving clients from 190 countries around the world.

As a result, US President Joe Biden in a telephone conversation called on Russian President Vladimir Putin to stop the attacks of ransomware hackers operating from the territory of the Russian Federation. Biden said that if Russia does not take action after that, the United States will be forced to take it on its own.

Shortly thereafter, REvil went offline for several months, and only returned to service on September 7, 2021. According to information security companies, REvil operators re-activated their old sites, created new profiles on the forums.

At the same time, Kaseya somehow obtained a universal key to decrypt its customers’ data. Then some experts suggested that Russian law enforcement officers received the decryption key from the attackers and handed it over to the FBI as a gesture of goodwill.

Now Bleeping Computer writes that until September 9 there was no evidence of new attacks and that REvil has fully resumed its activity. However, late last week, someone uploaded a new REvil sample to VirusTotal, dated September 4th. And shortly thereafter, the hackers published screenshots of the data stolen from the new victim on their website on the darknet.

The post Added utility for decrypting data after REvil attacks appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/added-utility-for-decrypting-data-after-revil-attacks/feed/ 0 5934