How did Kaseya get a universal decryptor after a mind-bogglingly big ransomware attack? A REvil coder misclicked, generated & issued it, and “That’s how we sh*t ourselves.”
The REvil ransomware gang’s tentacles shot out yet again last week, with the ransomware gang’s servers back online, a fresh victim listed on its site, ransomware payments back up and flowing, and an explanation of why it took a two-month hiatus.
A purported REvil representative also addressed a slew of questions, including:
Q: How did Kaseya, an IT solutions developer for managed service providers (MSPs), get its hands on a universal decryptor key that was leaked online after REvil launched one of the biggest ransomware sprees in history against it and 60 of its MSP clients on July 2?
A: The short answer: A REvil coder screwed up.
As Flashpoint has reported, REvil posted twice on the Exploit underground forum on Friday, Sept. 10, to clarify what happened during that Kaseya-related key generation process and how a coder fat-fingered the generation and leaking of the universal key.
Flashpoint provided this lightly edited translation: “One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine. That’s how we sh*t ourselves.”
REvil’s alleged new rep, operating under the alias “REvil,” explained that the criminal organization’s encryption process allows for generation of either a universal decryptor key or individual keys for each of a victim’s encrypted machines. In the process of generating the keys for Kaseya and its victimized MSPs, REvil had to generate between 20 and 500 decryption keys for each individual victim, because the victims in that attack all had networks of different sizes.
REvil Used Backups to Crawl Back
The new representative explained that REvil managed to come back online using the criminal affiliation’s backups.
According to Flashpoint analysts, this is apparently the first time that REvil has appeared on the Russian-language underground forum Exploit since its servers slipped offline without an explanation in July: A disappearance that followed fast on the heels of the high-profile Kaseya attack.
After that attack, the gang’s Tor servers and infrastructure powered down, and the security researcher @Pancak3 discovered the master decryption key had been leaked to an underground forum. The researcher posted a screenshot to the key on Twitter and GitHub.
It was a Kaseya attack-specific key, and it worked to untangle the victims of that attack. Nobody at the time was quite sure how Kaseya may have gotten the key, but the company has maintained that it came from a “trusted third party.”
REvil Back Up
The screenshot below, captured by Flashpoint, depicts REvil’s new registration on Exploit. It was taken at approximately 10:00 AM EST last Thursday, Sept. 9.
Two days earlier, on Tuesday, Sept. 7, REvil’s leak site – known as Happy Blog – was back up, and it’s now “fully operational,” according to Flashpoint: “For all intents and purposes, it appears that REvil is fully operational after its hiatus,” Flashpoint researchers wrote.
On that same day, REvil’s Tor payment/negotiation site also suddenly sprang back to life. By Thursday, victims could once again log in and negotiate with the group. As it was, those victims had been left high and dry after REvil’s disappearance on July 13, which left them with no decryption key and no ability to negotiate the ransom so they could get one.
As BleepingComputer reported, prior victims have had their ransom-payment timers reset.
At this point, there’s evidence of active development, too. On Thursday, Sept. 9, a new REvil ransomware sample, compiled on Sept. 4, was uploaded to VirusTotal.
Also, on Saturday, the gang published screenshots of stolen data for the new victim on its data leak site as further proof that REvil is, in fact, back in action.
Why REvil Shut Up Shop in the First Place
On Thursday, the new rep – REvil – explained in posts to criminal forums that the group had briefly yanked its servers offline because they thought that the former rep – Unk/Unknown – had been arrested and that REvil’s servers were compromised.
Advanced Intel’s translation:
As Unknown (aka 8800) disappeared, we (the coders) backed up and turned off all the servers. Thought that he was arrested. We tried to search, but to no avail. We waited – he did not show up and we restored everything from backups.
After UNKWN disappeared, the hoster informed us that the Clearnet servers were compromised and they deleted them at once. We shut down the main server with the keys right afterward.
Kaseya decryptor, which was allegedly leaked by the law enforcement, in fact, was leaked by one of our operators during the generation of the decryptor. – REvil
Law enforcement getting their hands on the decryptor and shutting down the servers was one possibility that was floated after REvil’s servers went dark. So too was the notion that REvil may have been reincarnated as the new ransomware group BlackMatter.
But if REvil’s posts on Exploit, et al., prove to be accurate, neither of those theories hold water. In fact, as multiple sources have told BleepingComputer, REvil’s disappearance “surprised law enforcement as much as everyone else.”
Making Nice With Unhappy Affiliates
Besides re-emerging, REvil is apparently looking to re-establish its cred. It looks like the reborn REvil – which is a ransomware-as-a-service (RaaS) player that rents out its ransomware gear to affiliates – is trying to patch things up with disgruntled affiliates who grumbled about missing payouts after the group’s disappearance.
When Happy Blog popped back up, some threat actors opened arbitration cases against REvil on underground forums.
Flashpoint analysts observed one threat actor, “boriselcin,” who opened an arbitration case against REvil spokesperson UNKN, aka Unknown, on the Russian-language forum XSS. The actor claimed that UNKN owed them money and wanted to be compensated now that the group is back up and running.
But by Thursday, Sept. 8, the squall had blown over, as boriselcin closed the claim saying it had been resolved.
Flashpoint predicted that more former affiliates may file similar cases, however.
It’s time to evolve threat hunting into a pursuit of adversaries. JOIN Threatpost and Cybersixgill for Threat Hunting to Catch Adversaries, Not Just Stop Attacks and get a guided tour of the dark web and learn how to track threat actors before their next attack. REGISTER NOW for the LIVE discussion on Sept. 22 at 2 p.m. EST with Cybersixgill’s Sumukh Tendulkar and Edan Cohen, along with independent researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.