{ "id": "e669d9e3-758a-4e4e-8a87-ff3f32e51f74", "created_at": "2026-04-06T00:07:52.214389Z", "updated_at": "2026-04-10T03:24:29.209963Z", "deleted_at": null, "sha1_hash": "9419ca748a4661764bae15585d17bfd438e915af", "title": "Free REvil ransomware master decrypter released for past victims", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1201791, "plain_text": "Free REvil ransomware master decrypter released for past victims\r\nBy Lawrence Abrams\r\nPublished: 2021-09-16 · Archived: 2026-04-05 20:39:31 UTC\r\nA free master decryptor for the REvil ransomware operation has been released, allowing all victims encrypted before the\r\ngang disappeared to recover their files for free.\r\nThe REvil master decryptor was created by cybersecurity firm Bitdefender in collaboration with a trusted law enforcement\r\npartner.\r\nWhile Bitdefender could not share details about how they obtained the master decryption key or the law enforcement agency\r\ninvolved, they told BleepingComputer that it works for all REvil victims encrypted before July 13th.\r\nhttps://www.bleepingcomputer.com/news/security/free-revil-ransomware-master-decrypter-released-for-past-victims/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/free-revil-ransomware-master-decrypter-released-for-past-victims/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\n\"As per our blog post, we received the keys from a trusted law enforcement partner, and unfortunately, this is the only\r\ninformation we are at liberty to disclose right now,\" Bitdefender's Bogdan Botezatu, Director of Threat Research and\r\nReporting, told BleepingComputer.\r\n\"Once the investigation progresses and will come to an end, further details will be offered upon approval.\"\r\nREvil ransomware victims can download the master decryptor from Bitdefender (instructions) and decrypt entire computers\r\nat once or specify specific folders to decrypt.\r\nTo test the decryptor, BleepingComputer encrypted a virtual machine with an REvil sample used in an attack earlier this\r\nyear. After encrypting our files, we could use Bitdefender's decryptor to easily recover our files, as shown below.\r\nDecrypting REvil encrypted files with decryptor\r\nLaw enforcement likely compromised REvil servers\r\nThe REvil ransomware operation, aka Sodinokibi, is believed to be a rebrand or successor to the now \"retired\" ransomware\r\ngroup known as GandCrab.\r\nSince launching in 2019, REvil has conducted numerous attacks against well-known companies,\r\nincluding JBS, Coop, Travelex, and Grupo Fleury.\r\nFinally, in a massive July 2nd attack using a Kaseya zero-day vulnerability, the ransomware gang encrypted sixty managed\r\nservice providers and over 1,500 businesses worldwide.\r\nhttps://www.bleepingcomputer.com/news/security/free-revil-ransomware-master-decrypter-released-for-past-victims/\r\nPage 3 of 5\n\nREvil ransom demand for MSP encrypted ion July 2nd\r\nAfter facing intense scrutiny by international law enforcement and increased political tensions between Russia and the\r\nUSA, REvil suddenly shut down its operation on July 13th and disappeared.\r\nWhile REvil was shut down, Kaseya mysteriously received a master decryptor for their attack, allowing MSPs and their\r\ncustomers to recover files for free.\r\nAs Bitdefender states that victims who REvil encrypted before July 13th can use this decryptor, it is safe to assume that the\r\nransomware operation's disappearance was tied to this law enforcement investigation.\r\nIt is also likely that Kaseya obtaining the REvil master decryption key for the attack on their customers is also tied to the\r\nsame investigation.\r\nWhile REvil has returned to attacking victims earlier this month, the release of this master decryptor comes as a massive\r\nboon for existing victims who chose not to pay or simply couldn't after the ransomware gang disappeared.\r\nhttps://www.bleepingcomputer.com/news/security/free-revil-ransomware-master-decrypter-released-for-past-victims/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/free-revil-ransomware-master-decrypter-released-for-past-victims/\r\nhttps://www.bleepingcomputer.com/news/security/free-revil-ransomware-master-decrypter-released-for-past-victims/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/free-revil-ransomware-master-decrypter-released-for-past-victims/" ], "report_names": [ "free-revil-ransomware-master-decrypter-released-for-past-victims" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434072, "ts_updated_at": 1775791469, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9419ca748a4661764bae15585d17bfd438e915af.pdf", "text": "https://archive.orkl.eu/9419ca748a4661764bae15585d17bfd438e915af.txt", "img": "https://archive.orkl.eu/9419ca748a4661764bae15585d17bfd438e915af.jpg" } }