Bitdefender has released a universal decryptor for REvil/Sodinokibi victims infected before July 13, 2021.
In a statement, the cybersecurity company said it created the tool with "a trusted law enforcement partner" in an effort to help the many victims who had been infected with the ransomware.
There are multiple REvil victims who either refused to pay a ransom or paid a ransom but did not get working decryption keys before the ransomware group went dark on July 13 following a massive July 4 attack on Kaseya, an IT solutions developer for MSPs and enterprise clients.
Bogdan Botezatu, director of threat research and reporting at Bitdefender, told ZDNet that they began seeing dozens of downloads of the decryptor as soon as they released it. The company has also been contacted privately by several victims who have been waiting for help since the group's emergence.
Botezatu noted that it is impossible to estimate how many victims REvil has managed to infect since 2019 because not all victims report infections or reach out for support.
When asked why the decryptor only works for victims infected before July 13 and not after, Botezatu said that he could not discuss specifics but explained that the main difference is "related to the decryption keys that we have available from our trusted law enforcement partner."
"We have tested the tool against recent attacks, and our tool cannot yet decrypt attacks after the July 13 date," Botezatu said.
"We are pleased we are helping victims who have been impacted. Like other industry researchers, we have seen REvil activity start back up. Based on our experience, we believe new ransomware attacks are imminent and organizations of all sizes and in all industries should be on high alert."
Botezatu added that the company is working on new versions of decryptors, as well as on decryptors of the most prominent families of ransomware.
In a longer statement, Bitdefender said victims with encrypted data were left in the lurch when parts of REvil's infrastructure went offline and confirmed that they will not be able to comment on certain details of the case until they are allowed to by "the lead investigating law enforcement partner."
"Both parties believe it is important to release the universal decryptor before the investigation is completed to help as many victims as possible," Bitdefender said. "We believe new REvil attacks are imminent after the ransomware gang's servers and supporting infrastructure recently came back online after a two-month hiatus. We urge organizations to be on high alert and to take necessary precautions."
The company noted that REvil operators are most likely based in a Commonwealth of Independent States (CIS) country and that the group emerged as a derivative of the GandCrab ransomware in 2019. REvil has attacked thousands of companies worldwide, demanding exorbitant ransoms in return for not leaking data.
Ransomware expert and Emsisoft threat analyst Brett Callow, who has worked on decryptors for other ransomware strains, said the release would definitely help any pre-13th July victims who've been unable to fully recover their data by other means in the weeks since.
"The fact that the decryptor was 'created in collaboration with a trusted law enforcement partner' would imply that that partner had recovered the keys," Callow added.
Callow noted that REvil attacked at least 360 US-based organizations this year. The RansomWhere research site says the group has brought in at least $11 million this year, with high profile attacks on Acer, JBS, Quanta Computer and more.