The universal decryption key that Kaseya customers can use to restore files encrypted during REvil’s attack has been leaked online on a hacker forum. This allows researchers to study it for the first time and get a glimpse into the encryption techniques of the now-defunct gang.
The REvil gang launched a massive attack on July 2nd, which exploited a zero-day flaw in the Kaseya VSA remote management application. The attack affected over 1,500 businesses and managed service providers and is considered the biggest ransomware attack in history. The REvil ransomware gang mysteriously disappeared following the attack, fearing law enforcement action. Its Tor payment site and infrastructure were also shut down.
On July 22, 2018, Kaseya gained access to a universal decryption key for this ransomware attack and began distributing it to its affected customers. It is believed that Russia’s intelligence agency gave the decryptor to the US law enforcement as a gesture of goodwill.
As CNN reported, when providing the decryptor, Kaseya required customers to sign a non-disclosure agreement, which may explain why the decryption key hasn’t surfaced until now.
Yesterday, a security researcher who goes by the name Pancak3 claimed that the REvil decryptor was posted on a hacker forum.
It was initially thought to be the master key for any REvil campaign, but it was confirmed by various experts that it is only a universal decryptor key for the Kaseya attack.
Security firm Flashpoint has confirmed that this decryption key works, and they successfully decrypted files encrypted during the July ransomware attack on Kaseya.
The reason why the Kaseya encryption was posted on a hacking forum is not clear. Usually, cybercriminals do not leak such decryptors on a hacker forum.
Numerous experts from the cybersecurity industry think that the poster is likely affiliated with REvil, and not a victim.