Bitdefenderfor REvil/Sodinokibi victims contaminated earlier than July 13, 2021.
In an announcement, the cybersecurity firm mentioned it created the instrument with “a trusted regulation enforcement associate” in an effort to assist the numerous victims who had been contaminated with the ransomware.
There are a number of REvil victims whoa ransom or paid a ransom however earlier than the ransomware group following a , an IT options developer for MSPs and enterprise purchasers.
The group hasand leaked details about a number of victims, even on Thursday as Bitdefender rolled out its decryptor.
Bogdan Botezatu, director of risk analysis and reporting at Bitdefender, advised ZDNet that they started seeing dozens of downloads of the decryptor as quickly as they launched it. The corporate has additionally been contacted privately by a number of victims who’ve been ready for assist because the emergence of the group.
Botezatu famous that it’s unattainable to estimate what number of victims REvil has managed to contaminate since 2019 as a result of not all victims report infections or attain out for help.
When requested why the decryptor solely works for victims contaminated earlier than July 13 and never after, Botezatu mentioned that he couldn’t talk about specifics, however defined that the primary distinction is “associated to the decryption keys that we have now out there from our trusted regulation enforcement associate.”
“We have now examined the instrument towards current assaults and our instrument can’t but decrypt assaults after the July 13 date,” Botezatu mentioned.
“We’re happy we’re serving to victims who’ve been impacted. Like different business researchers, we have now seen REvil exercise begin again up. Based mostly on our expertise we consider new ransomware assaults are imminent and organizations of all sizes and in all industries ought to be on excessive alert.”
Botezatu added that the corporate is engaged on new variations of decryptors, in addition to on decryptors of essentially the most distinguished households of ransomware.
In an extended assertion, Bitdefender mentioned victims with encrypted information have been left within the lurch when elements of REvil’s infrastructure went offline and confirmed that they won’t be able to touch upon sure particulars of the case till they’re allowed to by “the lead investigating regulation enforcement associate.”
“Each events consider you will need to launch the common decryptor earlier than the investigation is accomplished to assist as many victims as attainable,” Bitdefender mentioned. “We consider new REvil assaults are imminent after the ransomware gang’s servers and supporting infrastructure not too long ago got here again on-line after a two month hiatus. We urge organizations to be on excessive alert and to take essential precautions.”
The corporate famous that REvil operators are most probably primarily based in a Commonwealth of Unbiased States (CIS) nation and that the group emerged as a spinoff of the GandCrab ransomware in 2019. REvil has attacked hundreds of firms internationally, demanding exorbitant ransoms in return for not leaking information.
Ransomware skilled and Emsisoft risk analyst Brett Callow, who has labored on decryptors for different ransomware strains, mentioned the discharge will certainly assist any pre-13th July victims who’ve been unable to completely recuperate their information by different means within the weeks since.
“The truth that the decryptor was ‘created in collaboration with a trusted regulation enforcement associate’ would suggest that that associate had recovered the keys,” Callow added.
Callow famous that REvil attacked at the very least 360 US-based organizations this yr. The RansomWhere analysis website says the group has introduced in, with excessive profile assaults on Acer, JBS, Quanta Pc and extra.