Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service
Good News: REvil Ransomware Victims Get Free Decryptor
Many Files Crypto-Locked Before July 13 Unlockable via Free Bitdefender DecryptorScore one for the good guys in the fight against ransomware: Anyone who fell victim to REvil, aka Sodinokibi, crypto-locking malware before July 13 can now decrypt their files for free.
See Also: Live Webinar | Endpoint Security: Defending Today's Workforce Against Cyber Threats
On Thursday, antivirus vendor Bitdefender released a free decryptor for REvil, which first began operating in April 2019.
The free decryptor is also available for download via the No More Ransom project, which is a public-private collaboration involving multiple private security firms, as well as Dutch cybercrime police and the EU's law enforcement intelligence agency, Europol.
The operating instructions for the free decryptor note that "some versions" of REvil won't be decryptable.
By this, Bitdefender means the decryptor only works with prior attacks. "This specification refers to the fact that our tool can decrypt ransomware attacks that occurred until July 13," Bogdan Botezatu, director of threat research and reporting at Bitdefender, tells Information Security Media Group. "Also, with the REvil team back in business, we expect that they will rotate keys, so our decryptor will not be effective for future attacks. This is 'business as usual' in the fight against ransomware."
But the existence of a free decryptor means that past victims of REvil who chose to not pay a ransom, yet who may not have been able to successfully restore all of their crypto-locked files from backups, should be able to get their data back.
How Free Decryptors Get Built
This is far from the first time that a free decryptor has been released to help ransomware victims.
Indeed, for more than five years, No More Ransom has been helping to gather such decryptors for public use. Bitdefender, Emsisoft and other firms continue to develop such decryptors. These efforts are aided by ransomware operations calling it quits and releasing all their keys, as Avaddon did in June (see: 'Fear' Likely Drove Avaddon's Exit From Ransomware Fray).
Or sometimes, researchers find weaknesses that they can exploit to forcibly decrypt files, as they did with REvil's predecessor GandCrab. Unfortunately, attackers will typically rapidly update their code to eliminate the flaws, since free decryptors undercut their criminal business model.
Finally, some decryptors result from police infiltrating criminal infrastructure or arresting administrators, giving them access to all of the decryption keys, which they pass on to security researchers to build free decryptors.
REvil Probe is 'Ongoing Investigation'
How Bitdefender was able to obtain the REvil decryption keys necessary to write this decryptor remains unclear.
"Please note this is an ongoing investigation and we can't comment on details related to this case until authorized by the lead investigating law enforcement partner," Bitdefender says. "Both parties believe it is important to release the universal decryptor before the investigation is completed to help as many victims as possible."
Bitdefender says that any REvil victims who have any problems with the decryptor should contact the company directly.
Reading between the lines, law enforcement authorities may have disrupted REvil's infrastructure, which went offline on July 13, and at the same time retrieved the key information from the operation's servers, says ransomware-hunting veteran Fabian Wosar, CTO of antivirus vendor Emsisoft.
Looks like during the takedown of parts of the REvil infrastructure several months ago LEA got their hands on the secret key required to decrypt the ransom note key blobs which include the secret key for the system. Great news for older victims who can decrypt their files now. :)— Fabian Wosar (@fwosar) September 16, 2021
REvil Went Dark in July
REvil's infrastructure going dark in July could instead have been its response to U.S. President Joe Biden pressing Russian President Vladimir Putin, at a June 17 summit in Geneva, to arrest criminals operating inside Russia's borders who were launching ransomware attacks abroad. The White House has also brought more law enforcement and intelligence resources to bear to track and potentially disrupt transnational cybercrime groups.
REvil has been a big focus because the group continues to dominate the ransomware attack landscape.
Ransomware incident response firm Coveware, based on thousands of cases that it helped investigate from April through June, says REvil was the most prevalent strain of ransomware that it saw. The group gained extra notoriety after attacking meat processing giant JBS in May, which paid the group an $11 million ransom. Over the July 4 holiday weekend, REvil unleashed an attack via Miami-based remote management software firm Kaseya's remote management software, which is used by a number of managed service providers. Approximately 1,500 of those MSPs' clients ended up infected with REvil ransomware.
Later, however, Kaseya somehow obtained a universal decryptor for victims infected via its software. The firm did not specify how, except to note that it had paid no ransom. Subsequently, the universal decryptor for the Kaseya attack was posted to the Russian-language XSS cybercrime forum.
Emsisoft's Wosar told ISMG in 2019 that one innovation introduced by REvil, based on demand from GandCrab users, was the ability to more easily hit MSPs' customers, and more easily ransom - including decrypt - what might be dozens, hundreds or more individual victims, all of which could be managed with a single, universal decryptor for that attack (see: Sodinokibi Ransomware Gang Appears to Be Making a Killing).
REvil Claims User Error Aided Kaseya Recovery
In a Sept. 10 post to the Russian-language cybercrime forum Exploit, a representative for REvil claimed that a user error had resulted in the operation accidentally sharing a universal decryptor with a victim of its Kaseya attack who had paid a ransom.
"Our encryption process allows us to generate either a universal decryptor key or individual keys for each machine. Then, in the process of generating the keys, we had to generate between 20 and 500 decryption keys for each [individual] victim [because the victims of the Kaseya attack all had networks of different sizes]. One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine," a forum user named "REvil" posted, according to a translation from threat intelligence firm Flashpoint.
Whether this is true remains unknown.
"Forum posts should be taken with a pinch of salt," Brett Callow, a threat analyst at Emsisoft, tells ISMG. "The criminals know the forums are being monitored and so effectively use them as a press release service. They say what they want us to know. No more, no less."
Note that the universal key is separate to what researchers call a master key.
As Yelisey Boguslavskiy, head of research at Advanced Intelligence, told Threatpost, a master key would be held only by REvil's top administrators, and could be used to generate a decryptor for any infection created by the group's malware. Boguslavskiy said that security researchers have "never seen this key before."
REvil: Reloaded
Did REvil disappear because the Biden administration tasked U.S. Cyber Command to scuttle its infrastructure? Asked that question in late July, a White House official said that while the administration welcomed REvil having gone dark, it didn't know why the group's attacks had ceased.
White House officials have said they expected it would take at least six months to tell whether or not Moscow was taking Biden's request seriously, which he repeated to Putin in a July 9 phone call.
But at least thus far, some officials say they've seen no signs of action.
This week, FBI Deputy Director Paul Abbate said at the National Security Summit in National Harbor, Maryland, that "based on what we've seen, I would say there is no indication that the Russian government has taken action to crack down on ransomware actors that are operating in the permissive environment that they have created there," The Hill reported (see: Russia Has Taken No Action to Combat Ransomware, FBI Says).
Unfortunately, REvil has now returned. Its data leak server and payment portal came back online on Sept. 7 and payment countdown timers - before the attackers threatened to leak stolen data - have been reset. On Sept. 9, meanwhile, security experts spotted a new version of its crypto-locking malware had been uploaded to malware-scanning service VirusTotal, likely by a fresh target. In recent days, the group has listed one new victim on its data-leak site, as part of its attempt to extort it into paying a ransom.
Security experts anticipate REvil will ensure that the free decryptor that's been released won't interfere with future attacks. "We believe new REvil attacks are imminent after the ransomware gang’s servers and supporting infrastructure recently came back online after a two-month hiatus," Bitdefender says. "We urge organizations to be on high alert and to take necessary precautions."
Update 1
Editor's note, Sept. 18: Bitdefender says files encrypted by some versions of REvil that are above a certain size can be corrupted by its restoration tool. It's disabled the ability to decrypt files crypto-locked by these versions of REvil, while it prepares a fix. For anyone who uses the tool, also, "we strongly advise to check the 'backup files' option," the company says, to help prevent inadvertent data loss.
Update 2
Editor's note, Sept. 19: Wosar says the decryptor has been updated to fix the problem, and to add more functionality.
It appears that Bitdefender updated their tool. Not only did they change their defaults to now create backups unless disabled but they also added support for the third encryption mode REvil introduced at the beginning of 2020. Good job! :) https://t.co/P3gLWLHBoe
— Fabian Wosar (@fwosar) September 18, 2021