Skip to content

Kaseya’s universal decryption key leaked on Russian hacking forum

  • by
  • 3 min read

Kaseya’s universal REvil decryptor key has now been leaked on a Russian hacking forum. A user named Ekranoplan posted a screenshot of what appears to be a universal decryptor for REvil infected files. A security researcher named pancak3 also tweeted about the post.

On July 2, Kaseya’s VSA supply chain was attacked by the REvil ransomware gang, effectively encrypting over 1500 businesses using Kaseya services. As a response, Kasyea immediately shut down their SaaS servers and started working on a patch.

Later on, REvil demanded a mammoth $70 million in ransom for a universal decryptor that could unlock the files encrypted in the attack in under an hour.

The company had announced on July 22 that they’ve received a universal decryption key from an unnamed “trusted third-party” and had started distributing it to affected customers, albeit with a non-disclosure agreement, as reported by CNN, which explains why the key was kept out of researchers hands until now. 

Although the actual source of the encryptor is still unknown, it’s believed that Russian intelligence obtained the encryptor from REvil and handed it over to US authorities as a gesture of goodwill. 

In the News: Samsung unveils Exynos W920: Industry’s smallest wearable chip

Is the REvil nightmare for Kaseya over?

Following REvil’s mysterious disappearance and Kaseya still struggling to solve the problem, the situation wasn’t looking good for them. However, this new decryptor seems to have saved the company a lot of headaches. 

A screenshot of the decryptor posted on the hacking forum.

However, from the screenshot, it’s clear that this decryptor is only for files associated with the Kaseya attack and not a master operator key for all REvil attacks. This was confirmed by Emsisoft CTA and ransomware expert Fabian Wosar as well. 

Another security firm, Flashpoint, also confirmed that they could decrypt files encrypted as part of the REvil ransomware attack. It’s still not clear why the key was posted on a hacking forum. However, as reported by BleepingComputerthe poster is more likely to be affiliated with REvil rather than being a victim. 

Regardless, this is the first time independent researchers and those unaffected by the entire REvil-Kaseya fiasco can take a look at this universal decryptor that Kasyea obtained. The screenshot was posted to a Github repository, and you can find it here.

In the News: Unofficial patch appears for Windows PetitPotam vulnerability

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: