{"id":3223,"date":"2021-09-20T11:32:04","date_gmt":"2021-09-20T11:32:04","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=3223"},"modified":"2026-06-08T22:51:29","modified_gmt":"2026-06-08T22:51:29","slug":"revil-sodinokibi-ransomware-decryptor","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/revil-sodinokibi-ransomware-decryptor\/","title":{"rendered":"REvil\/Sodinokibi Ransomware decryptor"},"content":{"rendered":"\n<p style=\"text-align: justify\"><strong>REvil<\/strong> is a ransomware-as-a-service (RaaS) operator likely based in a Commonwealth of Independent States (CIS) country. It emerged in 2019 as the successor to the now-defunct GandCrab ransomware. REvil\/Sodinokibi ranks among the most prolific ransomware operators on the Dark Web: affiliates have targeted thousands of technology companies, MSPs, and resellers worldwide.<\/p>\n\n\n\n<p style=\"text-align: justify\">Following successful encryption of a target organization&#8217;s data, REvil affiliates demand substantial ransoms\u2014up to $70 million\u2014in exchange for a decryption key and pledge confidentiality of data exfiltrated during the attack. Its most significant operation before disappearance was the <strong>Kaseya attack<\/strong>. Beginning 2 July, the REvil group launched what amounted to over 5 000 attacks across 22 countries against the Kaseya Virtual System\/Server Administrator (VSA) platform.<\/p>\n<p style=\"text-align: justify\">Regarding decryption keys, REvil, like other RaaS groups, operates a key hierarchy in which a specific decryption key is generated for each compromised customer; additionally, an &#8220;operator key&#8221; or &#8220;master key&#8221; exists, used by senior RaaS leadership such as UNKN, the REvil representative who was active prior to the group&#8217;s shutdown on 13 July. The master key can unlock any victim.<\/p>\n\n\n\n<h4 class=\"has-text-align-center wp-block-heading\">REvil Decryptor<\/h4>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/09\/image-5-1024x538.png\" alt=\"\" class=\"wp-image-3238\" loading=\"lazy\" \/><\/figure>\n\n\n\n<p style=\"text-align: justify\"><strong>Bitdefender<\/strong> announced availability of a <strong>universal decryptor for REvil\/Sodinokibi<\/strong>. Developed in collaboration with a trusted law enforcement partner, this tool assists victims affected by REvil ransomware in restoring files and recovering from attacks conducted prior to 13 July 2021. Our <a href=\"https:\/\/fortgale.com\/en\/managed-detection-and-response\/\">Managed Detection and Response<\/a> teams have tracked the deployment of this decryption capability across affected organizations globally.<\/p>\n<p style=\"text-align: justify\">Below is the PDF guide for Decryptor usage (<a href=\"https:\/\/www.nomoreransom.org\/uploads\/REvil_documentation.pdf\" class=\"ek-link\">official link<\/a>):<\/p>\n\n\n\n<div class=\"wp-block-file\"><a href=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/09\/REvil_Decrypter_documentation.pdf\">REvil_Decrypter_documentation<\/a><a href=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/09\/REvil_Decrypter_documentation.pdf\" class=\"wp-block-file__button\" download>Download<\/a><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Universal decryptor released for REvil\/Sodinokibi: scope of recovery, conditions of usability and operational guidance for victims with encrypted backups.<\/p>\n","protected":false},"author":1,"featured_media":3238,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[1635,1665,203,3136,295,327],"class_list":["post-3223","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-decrypt-it","tag-decryptor-it","tag-law-enforcement","tag-ransomware-recovery","tag-revil","tag-sodinokibi"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3223","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=3223"}],"version-history":[{"count":2,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3223\/revisions"}],"predecessor-version":[{"id":9877,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3223\/revisions\/9877"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=3223"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=3223"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=3223"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}