Share this page!

BleepingComputer Profile picture
Twitter logo
11 Aug, 7 tweets, 3 min read
Kaseya's universal REvil decryption key leaked on a hacking forum - @LawrenceAbrams
bleepingcomputer.com/news/security/…
Yesterday, @pancak3lullz noticed someone posted a link to a screenshot on the XSS forum of an alleged REvil decryptor for ransomware victims.

The person said the decryptor could be used to decrypt all Kaseya victims.
When REvil victims pay a ransom, they are given either a decryptor for a single extension, or a decryptor for the whole campaign.

The screenshot on GitHub was for an REvil universal decryptor that contained the master key for the entire campaign.
github.com/Fr3akaLmaTT3r/…
While some thought this may be the master "operator" key for REvil that can be used to decrypt any victim, @fwosar said that this was unfortunately not the case.
To test the decryptor, BleepingComputer encrypted a VM using a sample from the Kaseya attack.

We then proceeded to patch a different REvil universal decryptor with the "OgTD7co7NcYCoNj8NoYdPoR8nVFJBO5vs/kVkhelp2s=" key.
Using this decryptor we were able to decrypt the files on our VM encrypted by the Kaseya sample.

We were not able to decrypt files from other campaigns or victims.
For those who wish to test this process, below are the hashes for a sample and decryptor used in the est.

REvil sample: d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

Universal decryptor: c2cf2118550a0fd7f81fe9913fe36be24c03a0ae5430b94557e0ee71c550a58c

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with BleepingComputer

BleepingComputer Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @BleepinComputer

BleepingComputer Profile picture
12 Aug
Hackers now backdoor Microsoft Exchange using ProxyShell exploits - @LawrenceAbrams
bleepingcomputer.com/news/microsoft…
We knew exploits would be coming when we reported about active ProxyShell scans last week.
bleepingcomputer.com/news/microsoft…
Well it's begun today - threat actors are now actively exploiting Microsoft Exchange server with the ProxyShell vulnerability to drop webshells and backdoors.
Read 11 tweets
BleepingComputer Profile picture
10 Aug
Microsoft fixes Windows Print Spooler PrintNightmare vulnerability - @LawrenceAbrams
bleepingcomputer.com/news/microsoft…
As part of today's Patch Tuesday updates, Microsoft has released an update to fix the recent PrintNightmare elevation of privileges vulnerabilities released by @gentilkiwi and others.
bleepingcomputer.com/news/microsoft…
To exploit the bug, a print server would be created with a specially crafted printer driver.

A low-privileged users could connect to the print server, and using Point and Print, the driver would be installed with a DLL that opens a SYSTEM-level console.
bleepingcomputer.com/news/microsoft…
Read 5 tweets
BleepingComputer Profile picture
10 Aug
Over $600 million reportedly stolen in cryptocurrency hack - @Ax_Sharma
bleepingcomputer.com/news/security/…
@Ax_Sharma Attack on Poly Network ended with the hacker transferring Binance Chain, Ethereum, and Polygon assets to three wallets they control:

Ethereum tokens: $273 million
Binance Smart Chain: $253 million
Polygon Network (in USDC): $85 million
@Ax_Sharma The hacker's three wallets have been reported to exchanges to prevent the attacker from converting the assets and splitting with the money. Image
Read 5 tweets
BleepingComputer Profile picture
4 Aug
New Cobalt Strike bugs allow takedown of attackers’ servers - @serghei
bleepingcomputer.com/news/security/…
@serghei SentinelLabs found the DoS vulnerabilities tracked as CVE-2021-36798 and dubbed Hotcobalt in the latest versions of Cobalt Strike's server.

bleepingcomputer.com/news/security/…
The Hotcobalt bugs can be exploited by registering fake beacons which help crash Cobalt Strike C2 servers, blocking C2 comms and new beacon deployments.

Law enforcement and researchers can also use Hotcobalt to take down malicious infrastructure.

bleepingcomputer.com/news/security/…
Read 4 tweets
BleepingComputer Profile picture
2 Aug
BlackMatter ransomware pretending they are not DarkSide.

Interesting read.
therecord.media/an-interview-w…
As a refresher.
bleepingcomputer.com/news/security/…
Read 4 tweets
BleepingComputer Profile picture
2 Aug
Windows PetitPotam attacks can be blocked using new method - @LawrenceAbrams
bleepingcomputer.com/news/microsoft…
Last month, @topotam77 discovered a new unauthenticated vector in the Microsoft Encrypting File System Remote Protocol (EFSRPC) API to perform Windows NTLM relay attacks.
bleepingcomputer.com/news/microsoft…
It was quickly illustrated how easily these attacks could be conducted to take over a Windows domain.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @BleepinComputer has new unrolls!

Check out other threads from @BleepinComputer!

Read all threads by @BleepinComputer

:(