{ "id": "671a7790-cbf6-437d-9228-4228fa10d977", "created_at": "2026-04-06T00:11:24.299788Z", "updated_at": "2026-04-10T03:20:24.580185Z", "deleted_at": null, "sha1_hash": "44ad31f60e226e9ccb5e5ab2e424d5a43855364e", "title": "REvil Master Key for Kaseya Attack Posted to XSS", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 173379, "plain_text": "REvil Master Key for Kaseya Attack Posted to XSS\r\nBy Flashpoint\r\nPublished: 2021-08-10 · Archived: 2026-04-05 15:43:09 UTC\r\nFlashpoint analysts have identified a post on the Russian language XSS Forum in which a threat actor operating\r\nunder the alias of “Ekranoplan” posted a possible master key for REvil in a screenshot on Github.[1]  Thus far,\r\nFlashpoint analysts have been able to attribute this key to restoration of data associated with the recent Kaseya\r\nransomware attack, and are exploring whether there is broader applicability.\r\nREvil (aka, “Sodinokibi” or “Sodin”) is a Russian ransomware extortionist threat group that is  responsible for\r\nseveral high-visibility ransomware incidents in recent months, including the attack against technology provider\r\nKaseya.  While REvil was purportedly shut down in July 2021, many of their targets remain impacted by their\r\nactivities, and other groups have recently emerged that Flashpoint analysts assess as being related to REvil.\r\nEkranoplan shared a link to the screenshot on August 6, 2021. The user does not appear to have any further\r\nposting history on the forum. Several users questioned the utility of a screenshot in decrypting files, to which\r\nEkranoplan answered in Russian, “This was provided to us by our parent company and is supposed to work for all\r\nREvil victims, not just us.” While the origins of Ekranoplan are unknown, no pun intended, Flashpoint analysts\r\ntested the REvil decryptor. As one user in the thread highlighted, replacing the decryption key with this key should\r\nwork. \r\nFlashpoint patched the decryptor binary with the annotated key from the thread, and successfully decrypted a\r\nsandbox infected with the new REvil test sample, upon changing the file extensions to “universal_tool_xxx_yyy”\r\nas seen in the screenshot. The files were properly decrypted once the file extensions were renamed. \r\nScreenshot of masterkey posting from Github.\r\nhttps://www.flashpoint-intel.com/blog/possible-universal-revil-master-key-posted-to-xss/\r\nPage 1 of 2\n\nPosting in XSS Forum, as seen (and translated) in the Flashpoint platform\r\nSimilar to the Russian aircraft owing to Ekranoplan’s namesake, the user flew out of the forum thread as quickly\r\nas they entered. The mystery still remains on the true reason for REvil’s sudden disappearance. Whether their\r\ninfrastructure was the target of a coordinated law enforcement operation, the decryption key was leaked by a\r\nformer victim, or a change of heart from the REvil operators remains a point of conjecture. At this time, the\r\noutcome is the same. Analysts will continue to monitor for changes in the ransomware ecosystem.  \r\nTrack Ransomware Activity With Flashpoint\r\nThe data above was discovered directly through analyst research in the Flashpoint platform. Sign up for a free\r\ntrial, and see firsthand how Flashpoint can help you and your organization access the most critical information\r\naffecting your industry and the security community.\r\nSources: [1] hxxps://github[.]com/Fr3akaLmaTT3r/decryptor/blob/main/screenshot.png\r\nSource: https://www.flashpoint-intel.com/blog/possible-universal-revil-master-key-posted-to-xss/\r\nhttps://www.flashpoint-intel.com/blog/possible-universal-revil-master-key-posted-to-xss/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.flashpoint-intel.com/blog/possible-universal-revil-master-key-posted-to-xss/" ], "report_names": [ "possible-universal-revil-master-key-posted-to-xss" ], "threat_actors": [], "ts_created_at": 1775434284, "ts_updated_at": 1775791224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/44ad31f60e226e9ccb5e5ab2e424d5a43855364e.pdf", "text": "https://archive.orkl.eu/44ad31f60e226e9ccb5e5ab2e424d5a43855364e.txt", "img": "https://archive.orkl.eu/44ad31f60e226e9ccb5e5ab2e424d5a43855364e.jpg" } }