{
	"id": "2ed7c917-0356-4bd6-9cbb-b11c42ed5389",
	"created_at": "2026-04-06T00:19:43.800871Z",
	"updated_at": "2026-04-10T03:20:21.585156Z",
	"deleted_at": null,
	"sha1_hash": "71eacc24f92be3c9273ef3a00ff6bea5ef370715",
	"title": "Kaseya obtains universal decryptor for REvil ransomware victims",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2710324,
	"plain_text": "Kaseya obtains universal decryptor for REvil ransomware victims\r\nBy Lawrence Abrams\r\nPublished: 2021-07-22 · Archived: 2026-04-05 20:10:04 UTC\r\nKaseya received a universal decryptor that allows victims of the July 2nd REvil ransomware attack to recover their files for\r\nfree.\r\nOn July 2nd, the REvil ransomware operation launched a massive attack by exploiting a zero-day vulnerability in the\r\nKaseya VSA remote management application to encrypt approximately sixty managed service providers and an estimated\r\n1,500 businesses.\r\nAfter the attack, the threat actors demanded $70 million for a universal decryptor, $5 million for MSPs, and $40,000 for\r\neach extension encrypted on a victim's network.\r\nhttps://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nRevil's $70 million ransom demand\r\nSoon after, the REvil ransomware gang mysteriously disappeared, and the threat actors shut down their payment sites and\r\ninfrastructure.\r\nWhile most victims were not paying, the gang's disappearance prevented companies who may have needed to purchase a\r\ndecryptor unable to do so.\r\nToday, Kaseya has stated that they received a universal decryptor for the ransomware attack from a \"trusted third party\" and\r\nare now distributing it to affected customers.\r\n\"We can confirm we obtained a decryptor from a trusted third party but can’t share anymore about the source,\"\r\nKaseya's SVP Corporate Marketing Dana Liedholm told BleepingComputer.\r\n\"We had the tool validated by an additional third party and have begun releasing it to our customers affected.\"\r\nWhile Kaseya would not share information about the key's source, they confirmed with BleepingComputer that it is the\r\nuniversal decryption key for the entire attack, allowing all MSPs and their customers to decrypt files for free.\r\nWhen asked whether they paid a ransom to receive a decryptor, Kaseya told BleepingComputer that they \"can’t confirm or\r\ndeny that.\"\r\nEmsisoft CTO Fabian Wosar told BleepingComputer that they were the third party who validated the key and will continue\r\nto aid Kaseya in their recovery efforts. \r\n\"We are working with Kaseya to support their customer engagement efforts. We have confirmed the key is effective at\r\nunlocking victims and will continue to provide support to Kaseya and its customers,\" Wosar told BleepingComputer.\r\nIt is unclear what caused the REvil ransomware operation to shut down and go into hiding, and multiple international law\r\nenforcement agencies have told BleepingComputer that they were not involved in their disappearance.\r\nAfter the attack on JBS and Kaseya, the White House's has pressured the Russian government to do something about the\r\nransomware gangs believed to be operating within Russia.\r\nIt is believed that the Russian government told the REvil ransomware gang to shut down and disappear to show that they\r\nwere working with the USA.\r\nAs the decryptor was obtained after the REvil gang's disappearance, it is possible that Russia received it directly from the\r\nransomware gang and shared it with US law enforcement as a gesture of goodwill.\r\nWhen we asked the FBI if they were involved in the procurement of the decryption key, we were told that they do not\r\ncomment on ongoing investigations.\r\n\"The DOJ and FBI have an ongoing criminal investigation into the criminal enterprise behind the REvil/Sodinokibi\r\nransomware variant and the actors responsible for the Kaseya ransomware attack specifically,\" the FBI told\r\nBleepingComputer.\r\n\"Per DOJ policy, we cannot comment further on this ongoing investigation.\"\r\nREvil's disappearance is likely not the end of the gang's online activities.\r\nhttps://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/\r\nPage 3 of 4\n\nIn the past the GandCrab ransomware operation shut down and rebranded as REvil, and it is expected that REvil will\r\nresurface again as a new ransomware operation.\r\nUpdate 7/22/21 9:42 PM EST: Added Emsisoft and FBI statements.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/\r\nhttps://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/"
	],
	"report_names": [
		"kaseya-obtains-universal-decryptor-for-revil-ransomware-victims"
	],
	"threat_actors": [],
	"ts_created_at": 1775434783,
	"ts_updated_at": 1775791221,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/71eacc24f92be3c9273ef3a00ff6bea5ef370715.pdf",
		"text": "https://archive.orkl.eu/71eacc24f92be3c9273ef3a00ff6bea5ef370715.txt",
		"img": "https://archive.orkl.eu/71eacc24f92be3c9273ef3a00ff6bea5ef370715.jpg"
	}
}