Bitdefender security researchers claim that before July 13th, all victims of attacks with encryption Trojans from the group REvil alias Sodinokibi can use a new universal decryption program to restore their data and thus make it available again. The free tool was developed by the experts in cooperation with a “recognized law enforcement partner” whom they do not want to name at the moment due to ongoing investigations.
The “REvil decryptor” is available now free to download. The researchers also have one Step-by-step instructions issue for the use of the instrument. The development partners have apparently encountered errors in the encryption of the ransomware. They published the decryptor during the police investigation “to help as many victims as possible”. They are currently not giving any further details about the ongoing investigations.
REvil went offline
Online extortion gangs located in Russia such as REvil and DarkSide initially declared after the cyber attack on the operator of the Colonial Pipeline in the USA in May that there were no more organizations in the “social sector” such as health and educational institutions and generally no more public administration infrastructures in a country wanting to attack. In mid-July, the REvil infrastructure was initially partially offline. Victims of the gang, who had not paid a ransom by then, were no longer able to regain their encrypted data.
The REvil group appeared in 2019 as the successor to the now defunct GandCrab gang. It is considered to be one of the busiest ransomware forges on the dark web. REvil affiliate program members have targeted thousands of IT companies, service providers and retailers around the world over the past several years. After successfully encrypting a company’s data, they previously demanded high ransom payments of up to 70 million US dollars in exchange for a decryption key and the guarantee that the internal data captured during the attack would not be published.
New attacks expected
Bitdefender believes that new REvil attacks are imminent. The servers and the supporting infrastructure of the ransomware gang recently went online again after a two-month rest period. Some of the previous IT systems are said to have been compromised by an unknown party. The forays are likely to start again.
Security researchers urge organizations to “be on high alert and take the necessary precautionary measures”. In January Bitdefender had already released a free decryption tool that should work against all versions of Darkside at the time. Observers believe that there are close ties between core members of DarkSide and REvil.