The free decryption instrument will assist victims restore their encrypted information from assaults made earlier than July 13, 2021, says Bitdefender.
Organizations that have been compromised by REvil ransomware can now obtain and run a free instrument to decrypt their hijacked information. In a weblog put up revealed Thursday, safety agency Bitdefender introduced the provision of a common decryptor for REvil/Sodinokibi ransomware assaults. Revealing that it created the instrument in partnership with a trusted regulation enforcement entity, Bitdefender mentioned the decryptor is designed to assist victims of this model of ransomware get well any encrypted information from assaults that occurred earlier than July 13, 2021.
SEE: Ransomware: What IT execs must know (free PDF) (TechRepublic)
Affected organizations can obtain the decryptor instantly from a hyperlink on the finish of Bitdefender’s weblog put up. A hyperlink for a step-by-step tutorial on tips on how to use the decryption instrument is accessible from the identical put up.
After set up, the instrument scans a complete laptop or a particular folder for encrypted information. It then decrypts any such information that it finds. You may set up and run the instrument on a single laptop. Alternatively, you possibly can run it silently throughout your community or on a distant machine by a command line course of.
Bitdefender did not reveal a lot about its involvement with the instrument, noting that this matter considerations an ongoing investigation and that it will probably’t disclose any particulars till approved by the lead investigating regulation enforcement associate. However it mentioned that each events felt it essential to launch the decryptor earlier than the investigation is completed as a way to assist as many victims as attainable.
After launching a collection of vicious ransomware assaults since 2019, the criminals behind the REvil/Sodinokibi ransomware staged one in all their most notorious capers. On July 3, enterprise IT agency Kaseya revealed a profitable cyberattack towards its VSA product, a program utilized by Managed Service Suppliers (MSPs) to remotely monitor and administer IT providers for patrons. Given the availability chain nature of Kaseya’s enterprise, greater than 1,000 companies around the globe noticed their knowledge encrypted because of the assault.
Proudly taking credit score for the crime, REvil claimed in its “Completely satisfied Weblog” that greater than 1 million programs had been contaminated. The gang additionally devised an attention-grabbing provide that may affect all victims of its ransomware. In trade for $70 million price of bitcoin, REvil would offer a common decryptor by which all affected corporations may get well their information.
A number of weeks later, Kaseya introduced that it had acquired a common decryptor key for latest victims of REvil. The corporate did not reveal any particulars as to how or the place the decryptor was obtained aside from to say that it got here from a trusted third get together.
However in one other twist to this saga, a couple of week earlier than Kaseya got here up with the common decryptor, REvil went off the grid. The group’s Completely satisfied Weblog went offline as did its cost and negotiation website. The disappearance of the latter truly put victims in a lurch as they not had a transparent option to cope with the gang or pay the ransom in the event that they selected to take action.
“On July 13 of this yr, elements of REvil’s infrastructure went offline, leaving contaminated victims who had not paid the ransom unable to get well their encrypted knowledge,” Bitdefender mentioned in its put up. “This decryption instrument will now provide these victims the flexibility to take again management of their knowledge and belongings.”
However the story is much from over. Final week, REvil appeared to return again to life following a two-month break. Each the Completely satisfied Weblog and the cost and negotiation website popped up on-line as soon as once more. Whether or not or not this implies the group is again in enterprise is unknown. However the of us at Bitdefender advise individuals to not let their guard down.
“We imagine new REvil assaults are imminent after the ransomware gang’s servers and supporting infrastructure lately got here again on-line after a two-month hiatus,” Bitdefender mentioned. “We urge organizations to be on excessive alert and to take crucial precautions.”