Cybersecurity software provider Bitdefender has made available a free universal decryption key for victims of REvil/Sodinokibi ransomware that had their data encrypted by hackers using the ransomware variant before July 13.
According to the company, the key was created in collaboration with a “trusted law enforcement partner” and can help victims restore their files and recover from attacks made before that date, which is when part of the ransomware group’s infrastructure went offline, leaving infected victims who had not yet paid the ransom unable to recover their encrypted data.
Bitdefender remained mum on other details, citing an ongoing investigation.
“Please note this is an ongoing investigation and we can’t comment on details related to this case until authorized by the lead investigating law enforcement partner,” the company wrote in a blog post. “Both parties believe it is important to release the universal decryptor before the investigation is completed to help as many victims as possible.”
The universal decryptor is free to download from the company’s website, and a step-by-step guide on using it was also released.
Part of REvil’s infrastructure went offline mid-July, shortly after the group undertook a massive July 4 weekend attack that leveraged the Kaseya VSA product and dozens of managed service providers that used the popular IT management tool.
More than 1,000 organizations were caught up in the attack, but many were left unable to recover their data before the group went dark, which some say was the result of law enforcement activity or the desire to lay low after such a large-scale attack.
Around that time, Kaseya – through unnamed sources – released a master key to help victims of the attack recover their data. However, that key only unlocked data of victims of that single attack.
Since then, the group has resurfaced, according to Bitdefender and other news reports.
“We believe new REvil attacks are imminent after the ransomware gang’s servers and supporting infrastructure recently came back online after a two month hiatus,” the company wrote in the blog post. “We urge organizations to be on high alert and to take necessary precautions.”