Jump to content
  • Kaseya's universal REvil decryption key leaked on a hacking forum


    Karlston

    • 767 views
    • 4 minutes
     Share


    • 767 views
    • 4 minutes

    The universal decryption key for REvil's attack on Kaseya's customers has been leaked on hacking forums allowing researchers their first glimpse of the mysterious key.

     

    On July 2nd, the REvil ransomware gang launched a massive attack on managed service providers worldwide by exploiting a zero-day vulnerability in the Kaseya VSA remote management application.

     

    This attack encrypted approximately sixty managed service providers and an estimated 1,500 businesses, making it possibly the largest ransomware attack in history.

     

    After the attack, the threat actors demanded a $70 million ransom to receive a universal decryptor that could be used to decrypt all victims of the Kaseya ransomware attack.

     

    However, the REvil ransomware gang mysteriously disappeared, and soon after, the gang's Tor payment sites and infrastructure were shut down.

     

    The gang's disappearance prevented companies who may have needed to purchase a decryptor now unable to do so.

     

    On July 22nd, Kaseya obtained a universal decryption key for the ransomware attack from a mysterious "trusted third party" and began distributing it to affected customers.

     

    Before sharing the decryptor with customers, CNN reported that Kaseya required them to sign a non-disclosure agreement, which may explain why the decryption key hasn't shown up until now.

     

    It is generally believed that Russian intelligence received the decryptor from the ransomware gang and shared it with US law enforcement as a gesture of goodwill.

    Decryption key leaked on a hacking forum

    Yesterday, security researcher Pancak3 told BleepingComputer that someone posted a screenshot of what they claimed was a universal REvil decryptor on a hacking forum.

     

    forum-post.jpg

    Forum post about Kaseya decryptor on a hacking forum

    This post linked to a screenshot on GitHub that showed an REvil decryptor running while displaying a base64 hashed 'master_sk' key. This key is 'OgTD7co7NcYCoNj8NoYdPoR8nVFJBO5vs/kVkhelp2s=', as shown below.

     

    kaseya-decryptor-screen.jpg

    Screenshot of alleged Kaseya REvil decryptor

    When REvil ransomware victims pay a ransom, they receive either a decryptor that works for a single encrypted file extension or a universal decryptor that works for all encrypted file extensions used in a particular campaign or attack.

     

    The screenshot above is for a universal REvil decryptor that can decrypt all extensions associated with the attack.

     

    To be clear, while it was originally thought that the decryption key in this screenshot might be the master 'operator' key for all REvil campaigns, BleepingComputer has confirmed that it is only the universal decryptor key for victims of the Kaseya attack.

     

    This was also confirmed by Emsisoft CTO and ransomware expert Fabian Wosar.

     

     

    BleepingComputer tested the leaked key by patching an REvil universal decryptor with the decryption key leaked in the screenshot.

     

     

    decryptor-hex-edit.jpg

    Patching an REvil universal decryptor

    After patching the decryptor, we encrypted a virtual machine with REvil ransomware samples used in the Kaseya attack.

     

    As shown in our video below, we then used our patched REvil Universal Decryptor to decrypt the encrypted files successfully.

     

     

    Security firm Flashpoint also confirmed that they could decrypt files encrypted during the Kaseya ransomware attack using this decryption key.

     

    We also tried the decryptor on other REvil samples we have accumulated over the past two years. The decryptor did not work, indicating it is not the master decryption key for all REvil victims.

     

    It is not clear why the Kaseya decryptor was posted on a hacking forum, which is an unlikely place for a victim to post.

     

    However, BleepingComputer was told by numerous sources in the cybersecurity intelligence industry that they believe that the poster is affiliated with the REvil ransomware gang rather than a victim.

     

    Regardless of the reasons for it being posted, for those following the Kaseya ransomware attack, this is our first access to the universal decryptor key that Kaseya mysteriously received.

     

     

    Kaseya's universal REvil decryption key leaked on a hacking forum


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...