Kaseya’s Universal REvil Decryption Key Leaked on the Dark Web
Table of Contents
- By Dawna M. Roberts
- Published: Aug 17, 2021
- Last Updated: Mar 18, 2022
This week Bleeping Computer, Data Breach Today and other news outlets reported that Kaseya’s REvil universal decryption key showed up on the dark web. However, interestingly, it only unlocks files related to the Kaseya attack.
What Happened?
In July, the REvil ransomware gang attacked dozens of managed service providers (MSAs), exploiting a zero-day authentication vulnerability in the Kaseya VSA remote management tool. As a result, attackers encrypted 60 MSAs along with 1,500 other companies. The Kaseya attack is being called one of “the largest ransomware attacks in history.”
Shortly after the attack, Kaseya announced that they had obtained a universal decryption key and were using it to unlock customers’ data. They did not provide any information on how they acquired the key. The company did confirm that they did not pay any ransom to the REvil gang.
The key was leaked last Friday by a user on a Russian dark web forum called XSS. Data Breach Today divulged that “A post on the XSS cybercrime forum contained a link leading to a screenshot with a key that decrypts the REvil ransomware used against Kaseya.”
Now that the decryption key has been leaked, security researchers are able to examine it and find out more about how it works. However, no one knows if this leaked key is the same one that Kaseya themselves used to deal with the ransomware encryption.
Why Now?
Threat researchers wonder about the timing of this release. Data Breach Today states that “The key may not be terribly useful to anyone at this point, says Allan Liska, an intelligence analyst with Recorded Future’s computer security incident response team.”
“At this point, most REvil victims have already gone down the path of recovery,” Liska says.
After the attack, Emsisoft security experts worked with Kaseya to distribute the universal decryption key to all affected victims, so why release one now on the dark web?
Another twisted facet to this story is that shortly after the Kaseya attack REvil hacker gang isappeared, and experts theorize they disbanded or were told to stand down.
The user who posted the key on August 4 is called Ekranoplan. He posted a note along with the key in Russian, which translates to ‘“If someone needs a REvil decryptor key, I put it here. Good luck,” and then included this link to GitHub. The GitHub link contains a screenshot that includes a string that is the decryption key. It is labelled “master_sk.” He also noted that the key “was provided to us by our parent company and is supposed to work for all REvil victims, not just us.”’
To further explain how that works, Data Breach Today said, “REvil’s ransomware used four sets of cryptographic keys, as explained in a tweet thread in early July by Fabian Wosar, Emsisoft’s CTO. The master_sk key is also known as a “campaign” key or a key that is used for a specific campaign against a specific entity. To put it another way, it’s different for every victim. So, if the screenshot posted on GitHub has an accurate label, this would appear to be just the decryption key for Kaseya victims.
Wosar was also quick to point out that REvil also uses an “operator” key, which would unlock all versions of REvil, but he has never seen one of those leaked anywhere. Furthermore, the key that Ekranoplan revealed was not an operator key. According to Data Breach Today, “A couple of users on the XSS forum claim to have been able to use what was released to unlock files encrypted by other REvil variants.”
