REvil: We Accidentally Leaked Kaseya Universal Decryptor Key

‘One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine. That’s how we sh*t ourselves,’ says REvil on a Russian-language forum.


The notorious REvil gang said the universal decryptor key for all victims of the Kaseya ransomware attack was accidentally released to victims by a coder.

“Our encryption process allows us to generate either a universal decryptor key or individual keys for each machine,” REvil wrote Friday morning on an illicit Russian-language forum called Exploit. “One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine. That’s how we sh*t ourselves.”

REvil said it had to generate between 20 and 500 decryption keys for each of the roughly 1,500 customers compromised in the Kaseya ransomware attack since all the victims had networks of different sizes. The sheer volume of keys led to a mistake where victims who paid the ransom found the universal decryptor key had been released among the individual decryptor keys relevant to their organization.

Sponsored post

[Related: Kaseya Gets REvil Ransomware Decryptor Key To Help Victims]

When victims discovered that had the universal decryptor key, they sent it to Kaseya as well as law enforcement agencies, according to risk intelligence vendor Flashpoint, which translated REvil’s posts on Exploit from Russian to English. REvil first said on Exploit Thursday that the Kaseya universal decryptor key was leaked by law enforcement agencies due to human error during the key generation process.

Kaseya declined to comment on the latest REvil-related revelation.

In one of two clarification posts REvil made on Exploit Friday morning, REvil said the payments totaled “over 10kk,” which is another way of saying more than $10 million USD, said a source familiar with the situation. It isn’t clear if this statement is referring to payments made by victims of the Kaseya ransomware attack to REvil or something else, and Flashpoint didn’t respond to a request for comment.

“The payments totaled over 10kk (sic) and everyone knows about them,” REvil wrote on Exploit at 9:40 a.m. ET Friday. “No one was scammed. We are in contact with our affiliates, we aren’t hiding anything.”

One threat actor opened an arbitration case against a REvil spokesperson earlier this week on an illicit Russian-language forum, claiming the REvil spokesperson owed them money before disappearing in July and wants to be compensated now that the ransomware gang is again operational. The threat actor said Wednesday they closed the arbitration case since the issue had been resolved, according to Flashpoint.

Prior to REvil’s posts on Exploit over the past two days, there were rumors that Russian intelligence services received a universal Kaseya-related decryptor from REvil and passed it along to U.S. authorities. Some speculated that the U.S. government’s decision to remove sanctions on companies participating in the Nord Stream 2 pipeline had to do with the alleged key transaction between the U.S. and Russia.

Flashpoint, however, said there’s no evidence of a link between the disappearance and re-emergence of REvil and talks that took place over the summer between President Joe Biden and his Russian counterpart, Vladimir Putin. Moreover, Flashpoint said the removal of Nord Stream 2 sanctions is in line with President Biden’s stated foreign policy objectives.

An alleged representative of REvil said on Exploit Thursday that the ransomware gang has managed to come back online using their backups. The REvil leaks blog – known as Happy Blog – came back online Tuesday after a two-month hiatus. REvil’s TOR servers and infrastructure were shut down in July after the Kaseya cyberattack and a master decryption key was leaked that worked for Kaseya victims.

But now, Flashpoint said REvil appears to be fully operational after its hiatus and is making efforts to mend fences with former affiliates who had expressed unhappiness about the group disappearance. Flashpoint expects other former affiliates will open arbitration cases against REvil in the future once the ransomware gang’s return has been confirmed.

Any information provided by a ransomware gang should be treated with massive skepticism, Emsisoft threat analyst Brett Callow told CRN. Kaseya in late July said it was working with Emsisoft to help customers recover from the ransomware attack, with the anti-malware software provider supporting customer engagement efforts and confirming the decryptor key was effective at unlocking victims.

“Gangs know fully well that cybercrime forums are monitored by both security researchers and law enforcement agencies and moderate their comments accordingly,” Callow told CRN in an email Friday. “They use them as an opportunity to create confusion, pressure victims and promote their affiliate programs. Bottom line: they’re criminals and they strategically lie to further their objectives.”