El_Cometa group, previously known as SynAck, has released the master decryption keys for the victims who were targeted between July 2017 to early 2021. Additionally, they have released a manual for using the master keys.

What happened?

The decryption keys were shared on the group’s data leak site and with a cybersecurity news publication. 
  • After receiving the keys, The Record shared them with ransomware experts who then confirmed that the keys are legitimate and can be used to create a SynAck decryptor for the recovery of encrypted files for free.
  • The news site will not be making these keys available for the general public as the decryption process is complex for non-technical users and former SynAck victims may damage their files during the recovery of older data.
  • However, Emsisoft would be creating its own decryption tool that will be easy to use and safe. The tool will be released for public use within a few days.

About SynAck

  • The SynAck ransomware operation first started in August/September 2017 but it was not an active group. The most recent activity was spotted in 2018, which slowly increased at the end of 2019.
  • In late July, the group rebranded itself as El_Cometa and started operating as Ransomware-as-a-Service (RaaS) and started recruiting affiliates to breach target networks.

Other ransomware gangs that released keys

SynAck is not the only group to release the decryption keys. In the past few months, several ransomware groups have shut down or rebranded themselves.
  • In the last month, after ransomware attacks on Kaseya, the REvil group disappeared suddenly. However, the decryption key was received just three weeks after the attack.
  • Other ransomware groups that have released their master decryption keys in the past are identified as Avaddon, TeslaCrypt, AES-NI, Shade, Crysis, Ziggy, FonixLocker, and FilesLocker.


Rebranding ransomware is now becoming a growing trend as numerous prominent ransomware gangs have walked down this path in last few months. In some cases, it has been observed that the rebranding might also be due to increased pressure from law enforcement agencies. Therefore, organizations, security professionals, and researchers need to hold their guards to stay protected.

Cyware Publisher