Endpoint Security , Fraud Management & Cybercrime , Open XDR

REvil Decryption Key Posted on Cybercrime Forum

But the Key Appears to Only Unlock Files Encrypted in the Kaseya Attack
REvil Decryption Key Posted on Cybercrime Forum
Someone posted a link to this image that contains a decryption key for files encrypted in the Kaseya attack.

There's yet another twist in the saga around REvil, the prolific but now-defunct ransomware group.

See Also: Live Webinar | A Buyers' Guide: What to Consider When Assessing a CASB

Security analysts are testing a decryption key linked to by a user on the Russian-language cybercrime forum XSS on Friday. Experts say the key decrypts REvil's ransomware used in the attack on July 2 against Miami-based software developer Kaseya.

A post on the XSS cybercrime forum contained a link leading to a screenshot with a key that decrypts the REvil ransomware used against Kaseya.

Kaseya develops remote monitoring and management software that's used by managed service providers. In late July, Kaseya acquired a decryptor from a source that would unlock files encrypted by the REvil attack.

Kaseya did not disclose the source for the key and said it did not pay a ransom. It initially expressed in a now-edited blog post that the acquisition came "unexpectedly" (see: Kaseya Obtains Decryption Tool After REvil Ransomware Hit).

It's unclear if the key that was released on Friday is the same key that Kaseya has been distributing to victims under a nondisclosure agreement. A Kaseya spokesperson said late Tuesday that the company has no comment.

It's possible that one of the recipients of that key who was under a nondisclosure agreement posted it on XSS to try to avoid legal repercussions.

The REvil ransomware ended up infecting about 60 of Kaseya's managed service provider customers and up to 1,500 of their clients. The point of entry was a zero-day authentication vulnerability in the on-premises version of Virtual Service Administrator, or VSA, which is Kaseya's remote IT management software.

Not Terribly Useful?

Some observers claim that the key released Friday may be the elusive "operator" key - a decryption key that unlocks files from all REvil ransomware variants. But it's looking increasingly unlikely that is accurate.

The key may not be terribly useful to anyone at this point, says Allan Liska, an intelligence analyst with Recorded Future's computer security incident response team.

"At this point, most REvil victims have already gone down the path of recovery," Liska says.

One reason: Downstream victims of the attack against Kaseya have been able to get access to a decryptor after it was passed to the company. Kaseya worked with Emsisoft, a security vendor, to verify the decryptor and ensure that it worked without exposing victims to further risk.

After the attack against Kaseya, REvil's infrastructure went offline, although it's unclear why. REvil's disappearance coincided with increasingly aggressive calls by the U.S. that Russia needed to do more about cybercriminals that operate within its borders (see: REvil's Infrastructure Goes Offline).

'Good Luck'

The key was posted Friday on the XSS forum by someone using the nickname Ekranoplan. The individual's account was created on Aug. 4.

Ekranoplan wrote in Russian: "If someone needs a REvil decryptor key, I put it here. Good luck," and then included this link to GitHub. The GitHub link contains a screenshot that includes a string that is the decryption key. It is labelled "master_sk."

REvil's ransomware used four sets of cryptographic keys, as explained in a tweet thread in early July by Fabian Wosar, Emsisoft's CTO.

The master_sk key is also known as a "campaign" key, or a key that is used for a specific campaign against a specific entity. To put it another way, it's different for every victim. So if the screenshot posted on GitHub has an accurate label, this would appear to be just the decryption key for Kaseya victims.

There's also what Emsisoft calls an "operator" key. A public operator key is coded into every REvil sample. It's believed that the private operator key could decrypt all REvil variants. But Wosar tweets that those types of keys have been tightly held, and his company has never seen one. He later tweeted that what was released is not the operator key.

A couple of users on the XSS forum claim to have been able to use what was released to unlock files encrypted by other REvil variants. Also, in a second posting, Ekranoplan writes that the key "was provided to us by our parent company and is supposed to work for all REvil victims, not just us."

Two members of the XSS forum say the released key works for recent REvil ransomware samples.

Also, the threat intelligence firm Flashpoint said in a blog post that the key may be a "master" for REvil encrypted data but initially didn't mention Kaseya. The blog post was later edited to clarify that the key works with files encrypted in the Kaseya attack and that the company was investigating whether it might work more broadly.

"Flashpoint patched the decryptor binary with the annotated key from the thread, and successfully decrypted a sandbox infected with the new REvil test sample, upon changing the file extensions to “universal_tool_xxx_yyy” as seen in the screenshot," the company writes. "The files were properly decrypted once the file extensions were renamed."


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.