{
	"id": "93a89b05-cd0d-4828-b9a0-2a43cc909362",
	"created_at": "2026-04-10T03:21:17.559642Z",
	"updated_at": "2026-04-10T03:22:17.144616Z",
	"deleted_at": null,
	"sha1_hash": "b72635bb08f36db4c45f08eb2992d29ea8f9d4db",
	"title": "Kaseya's universal REvil decryption key leaked on a hacking forum",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1440802,
	"plain_text": "Kaseya's universal REvil decryption key leaked on a hacking\r\nforum\r\nBy Lawrence Abrams\r\nPublished: 2021-08-11 · Archived: 2026-04-10 02:55:33 UTC\r\nThe universal decryption key for REvil's attack on Kaseya's customers has been leaked on hacking forums\r\nallowing researchers their first glimpse of the mysterious key.\r\nOn July 2nd, the REvil ransomware gang launched a massive attack on managed service providers worldwide by\r\nexploiting a zero-day vulnerability in the Kaseya VSA remote management application.\r\nThis attack encrypted approximately sixty managed service providers and an estimated 1,500 businesses, making\r\nit possibly the largest ransomware attack in history.\r\nhttps://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum/\r\nPage 1 of 6\n\nAfter the attack, the threat actors demanded a $70 million ransom to receive a universal decryptor that could be\r\nused to decrypt all victims of the Kaseya ransomware attack.\r\nHowever, the REvil ransomware gang mysteriously disappeared, and soon after, the gang's Tor payment sites and\r\ninfrastructure were shut down.\r\nThe gang's disappearance prevented companies who may have needed to purchase a decryptor now unable to do\r\nso.\r\nOn July 22nd, Kaseya obtained a universal decryption key for the ransomware attack from a mysterious \"trusted\r\nthird party\" and began distributing it to affected customers.\r\nBefore sharing the decryptor with customers, CNN reported that Kaseya required them to sign a non-disclosure\r\nagreement, which may explain why the decryption key hasn't shown up until now.\r\nIt is generally believed that Russian intelligence received the decryptor from the ransomware gang and shared it\r\nwith US law enforcement as a gesture of goodwill.\r\nDecryption key leaked on a hacking forum\r\nYesterday, security researcher Pancak3 told BleepingComputer that someone posted a screenshot of what they\r\nclaimed was a universal REvil decryptor on a hacking forum.\r\nForum post about Kaseya decryptor on a hacking forum\r\nThis post linked to a screenshot on GitHub that showed an REvil decryptor running while displaying a base64\r\nhashed 'master_sk' key. This key is 'OgTD7co7NcYCoNj8NoYdPoR8nVFJBO5vs/kVkhelp2s=', as shown below.\r\nhttps://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum/\r\nPage 2 of 6\n\nScreenshot of alleged Kaseya REvil decryptor\r\nWhen REvil ransomware victims pay a ransom, they receive either a decryptor that works for a single encrypted\r\nfile extension or a universal decryptor that works for all encrypted file extensions used in a particular campaign or\r\nattack.\r\nThe screenshot above is for a universal REvil decryptor that can decrypt all extensions associated with the attack.\r\nTo be clear, while it was originally thought that the decryption key in this screenshot might be the master 'operator'\r\nkey for all REvil campaigns, BleepingComputer has confirmed that it is only the universal decryptor key for\r\nvictims of the Kaseya attack.\r\nThis was also confirmed by Emsisoft CTO and ransomware expert Fabian Wosar.\r\nBleepingComputer tested the leaked key by patching an REvil universal decryptor with the decryption key leaked\r\nin the screenshot.\r\nhttps://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum/\r\nPage 3 of 6\n\nPatching an REvil universal decryptor\r\nAfter patching the decryptor, we encrypted a virtual machine with REvil ransomware samples used in the Kaseya\r\nattack.\r\nAs shown in our video below, we then used our patched REvil Universal Decryptor to decrypt the encrypted files\r\nsuccessfully.\r\nhttps://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum/\r\nPage 4 of 6\n\nSecurity firm Flashpoint also confirmed that they could decrypt files encrypted during the Kaseya ransomware\r\nattack using this decryption key.\r\nWe also tried the decryptor on other REvil samples we have accumulated over the past two years. The decryptor\r\ndid not work, indicating it is not the master decryption key for all REvil victims.\r\nIt is not clear why the Kaseya decryptor was posted on a hacking forum, which is an unlikely place for a victim to\r\npost.\r\nHowever, BleepingComputer was told by numerous sources in the cybersecurity intelligence industry that they\r\nbelieve that the poster is affiliated with the REvil ransomware gang rather than a victim.\r\nRegardless of the reasons for it being posted, for those following the Kaseya ransomware attack, this is our first\r\naccess to the universal decryptor key that Kaseya mysteriously received.\r\nhttps://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one\r\nwithout the other.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three\r\ndiagnostic questions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum/\r\nhttps://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum/"
	],
	"report_names": [
		"kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum"
	],
	"threat_actors": [],
	"ts_created_at": 1775791277,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b72635bb08f36db4c45f08eb2992d29ea8f9d4db.pdf",
		"text": "https://archive.orkl.eu/b72635bb08f36db4c45f08eb2992d29ea8f9d4db.txt",
		"img": "https://archive.orkl.eu/b72635bb08f36db4c45f08eb2992d29ea8f9d4db.jpg"
	}
}