diff --git a/changelog/@unreleased/pr-424.v2.yml b/changelog/@unreleased/pr-424.v2.yml
new file mode 100644
index 00000000..607c8a0b
--- /dev/null
+++ b/changelog/@unreleased/pr-424.v2.yml
@@ -0,0 +1,5 @@
+type: fix
+fix:
+  description: Fix decryption of values including replacement syntax
+  links:
+  - https://github.com/palantir/encrypted-config-value/pull/424
diff --git a/encrypted-config-value-module/src/main/java/com/palantir/config/crypto/DecryptingVariableSubstitutor.java b/encrypted-config-value-module/src/main/java/com/palantir/config/crypto/DecryptingVariableSubstitutor.java
index 43dced79..31523895 100644
--- a/encrypted-config-value-module/src/main/java/com/palantir/config/crypto/DecryptingVariableSubstitutor.java
+++ b/encrypted-config-value-module/src/main/java/com/palantir/config/crypto/DecryptingVariableSubstitutor.java
@@ -18,6 +18,7 @@
 
 import com.palantir.config.crypto.jackson.Substitutor;
 import com.palantir.config.crypto.util.StringSubstitutionException;
+import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 public final class DecryptingVariableSubstitutor implements Substitutor {
@@ -32,7 +33,8 @@ public String replace(String source) {
             return PATTERN.matcher(source).replaceAll(matchResult -> {
                 String encryptedValue = matchResult.group(1);
                 try {
-                    return KeyFileUtils.decryptUsingDefaultKeys(EncryptedValue.fromString(encryptedValue));
+                    return Matcher.quoteReplacement(
+                            KeyFileUtils.decryptUsingDefaultKeys(EncryptedValue.fromString(encryptedValue)));
                 } catch (RuntimeException e) {
                     throw new StringSubstitutionException(e, encryptedValue);
                 }
diff --git a/encrypted-config-value-module/src/test/java/com/palantir/config/crypto/DecryptingVariableSubstitutorTest.java b/encrypted-config-value-module/src/test/java/com/palantir/config/crypto/DecryptingVariableSubstitutorTest.java
index 73521901..d9bec3f2 100644
--- a/encrypted-config-value-module/src/test/java/com/palantir/config/crypto/DecryptingVariableSubstitutorTest.java
+++ b/encrypted-config-value-module/src/test/java/com/palantir/config/crypto/DecryptingVariableSubstitutorTest.java
@@ -79,6 +79,11 @@ public final void variableIsDecrypted() throws Exception {
         assertThat(substitutor.replace("${" + encrypt("abc") + "}")).isEqualTo("abc");
     }
 
+    @Test
+    public final void variableIsDecryptedWithRegex() throws Exception {
+        assertThat(substitutor.replace("${" + encrypt("$5") + "}")).isEqualTo("$5");
+    }
+
     private String encrypt(String value) {
         return ALGORITHM.newEncrypter().encrypt(KEY_PAIR.encryptionKey(), value).toString();
     }