Bitdefender has released a universal decryptor for REvil/Sodrinokibi victims. This tool can be used to decrypt the files of the gang’s victims who were encrypted before July 13, 2021.
In response to the mass ransomware attacks, Bitdefender launched a tool it jointly developed with a trusted law enforcement agency to help victims get their data back and avoid paying a ransom.
Several REvil victims refused to pay a ransom and did not get their decryption keys after the July 4 attack on Kaseya. The group has been leaking information about victims since then.
The group recently resurfaced after a short disappearance and already announced a new victim this Thursday.
According to Bogdan Botezatu, director of threat research at Bitdefender, the release of the group’s decryptor has been followed by a spike in downloads and emails the company has been receiving from victims.
According to Botezatu, it is difficult to determine how many victims REvil has managed to infect since 2019 due to the lack of victims reporting the infections. The reason why the decryptor works only for victims before July 13 is “related to the decryption keys that we have available from our trusted law enforcement partner,” he said.
“We have tested the tool against recent attacks and our tool cannot yet decrypt attacks after the July 13 date,” Botezatu said. “We are pleased we are helping victims who have been impacted. Like other industry researchers, we have seen REvil activity start back up. Based on our experience we believe new ransomware attacks are imminent and organizations of all sizes and in all industries should be on high alert.”
According to the company, it is working on new versions of decryptors for various other families of ransomware.
In a statement, the company said it would not be able to discuss details of all the cases until the lead investigator allows this.
“Both parties believe it is important to release the universal decryptor before the investigation is completed to help as many victims as possible,” Bitdefender said. “We believe new REvil attacks are imminent after the ransomware gang’s servers and supporting infrastructure recently came back online after a two month hiatus. We urge organizations to be on high alert and to take necessary precautions.”
REvil is a variant of the GandCrab ransomware that originated from a country outside the European Union, and its operators are most likely based in the Commonwealth of Independent States (CIS).