REvil/Sodinokibi Ransomware decryptor

REvil is a ransomware-as-a-service (RaaS) operator likely based in a Commonwealth of Independent States (CIS) country. It emerged in 2019 as the successor to the now-defunct GandCrab ransomware. REvil/Sodinokibi ranks among the most prolific ransomware operators on the Dark Web: affiliates have targeted thousands of technology companies, MSPs, and resellers worldwide.

Following successful encryption of a target organization’s data, REvil affiliates demand substantial ransoms—up to $70 million—in exchange for a decryption key and pledge confidentiality of data exfiltrated during the attack. Its most significant operation before disappearance was the Kaseya attack. Beginning 2 July, the REvil group launched what amounted to over 5 000 attacks across 22 countries against the Kaseya Virtual System/Server Administrator (VSA) platform.

Regarding decryption keys, REvil, like other RaaS groups, operates a key hierarchy in which a specific decryption key is generated for each compromised customer; additionally, an “operator key” or “master key” exists, used by senior RaaS leadership such as UNKN, the REvil representative who was active prior to the group’s shutdown on 13 July. The master key can unlock any victim.

REvil Decryptor

Bitdefender announced availability of a universal decryptor for REvil/Sodinokibi. Developed in collaboration with a trusted law enforcement partner, this tool assists victims affected by REvil ransomware in restoring files and recovering from attacks conducted prior to 13 July 2021. Our Managed Detection and Response teams have tracked the deployment of this decryption capability across affected organizations globally.

Below is the PDF guide for Decryptor usage (official link):