Bitdefender provides universal REvil decryptor

Sicherheit (Pexels, allgemeine Nutzung)[German]Hope for victims of REvil/Sodinokibi ransomware attacks who have lost access to encrypted data. Security vendor Bitdefender has succeeded in developing a universal REvil decryptor in cooperation with law enforcement agencies. The REvil Decryptor helps with all files that were encrypted by July 13, 2021. The tool is available free of charge.


Review of the REvil group

The REvil ransomware gang (also known as Sodinokibi) is one of the most aggressive cyber actors in recent times that offered "ransomware as a service". To market itself, the group uses a kind of affiliate program where third parties are allowed to use its malware programs for criminal purposes. The group then receives a portion of the extorted funds as commission.

The attack on JBS and most recently the supply chain attack on U.S. manufacturer Kaseya (see Kaseya hack affects 1,500 companies worldwide) have raised plenty of dust.  In mid-July 2021, the websites of the REvil group as well as their payment servers and infrastructure were shut down (I had reported in the blog post REvil Ransomware Group server and infrastructure is shut down).

After the REvil infrastructure went partially offline on July 13 of this year, victims who had not paid a ransom by then were unable to recover their encrypted data. The relevant law enforcement agencies continue to investigate the actors behind REvil.  Security specialists such as Bitdefender suspect that ransomware-as-a-service (RaaS) provider REvil likely operates out of a country in the former Commonwealth of Independent States (CIS).

The group emerged in 2019 as the successor to the now-defunct GandCrab group and is one of the most prolific ransomware forges on the dark web. Partners of the group have since successfully targeted thousands of technology companies, managed service providers and retailers around the world. After successfully encrypting a company's data, REvil partners have previously demanded large ransoms of up to $70 million in exchange for a decryption key and a guarantee that internal data exfiltrated during the attack would not be made public.

Revil is back


A few days ago, however, the REvil ransomware gang's web servers reappeared on the Internet – Bleeping Computer has published this article. Security vendor Bitdefender believes that new REvil attacks are imminent after the ransomware gang's servers and supporting infrastructure recently came back online after a two-month dormancy period. Bitdefender urges organizations to be on high alert and take the necessary precautions.

REvil decryptor available

Now Bitdefender has informed me that they are providing a free decryptor for Revil-encrypted document files. The new, universal Bitdefender Decryptor tool allows victims of all REvil/Sodinokibi ransomware attacks before July 13 to recover their data and make it available again. Bitdefender developed the free tool in collaboration with a recognized law enforcement partner.

The partners who developed the tool agree that it is important to release the universal decryptor even before the investigation is complete in order to help as many victims as possible. More details about the ongoing investigation cannot be given at this time.


The REvil decryptor is available for download free of charge. Step-by-step instructions on how to use the decryptor can be found as a PDF version. Lawrence Abrams has already performed successful test runs according to the above tweet and has also published this article.

REvil decryptor

Important: As of 9/17/2021, there is this tweet that points out a bug in Decryptor. The tool should be updated soon.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *