Cybersecurity researchers have found that a member of the notorious REvil gang infected thousands of people in 17 countries Friday with the virus. It was mainly distributed by firms that remotely manage IT infrastructures for multiple customers.
Researchers claimed that REvil demanded ransoms up to $5 Million. It posted a dark web site late Sunday offering a universal encryption software key to all affected machines for $70 million.
The FBI stated earlier in a statement that while it was investigating the attack, its scale "may render it impossible to respond to each victim individually." Anne Neuberger, Deputy National Security Advisor, later released a statement saying that President Joe Biden had "directed all resources of the government" to investigate the incident and encouraged anyone who felt they were being compromised to notify the FBI.
Biden suggested Saturdaythat the U.S. would reply if it was found that the Kremlin is involved.
Biden asked Vladimir Putin, Russian President, to end his safe haven for REvil and other ransomware groups whose relentless extortionary attacksthe U.S. considers a national security risk less than a month back.
The latest attack on a wide range of public and private agencies was reported to have occurred across all continents. It also affected financial services, travel, leisure, and the public sector. However, there were very few large companies that were affected, according to the cybersecurity firm Sophos. Ransomware criminals hack into networks and spread malware that disables their systems by scrambling all of their data. When victims pay up, they get a decoder code.
Coop, a Swedish grocery chain, announced that most of its 800 stores will be closed on Sunday due to the loss of their cash register software supplier. The state railway, Swedish pharmacy chain, and gas station chain were all also affected.
According to the news agency dpa, an unnamed German IT services company claimed that several thousand customers had been compromised. Two large Dutch IT service companies, VelzArt Techniek and Hoppenbrouwer Techniek were also reported as victims. Ransomware victims are not likely to report attacks publicly or reveal if they have paid ransoms.
Kaseya CEO Fred Voccola estimated that there were around 2,000 victims in the software company's breach. These small businesses include "dental practices", architecture firms, plastic surgery centers and libraries.
Voccola stated in an interview that between 50-60% of the company's 37,000 clients were compromised. 70% of the victims were managed service providers that use VSA software from the company to manage multiple customers. It automates software installation and security updates, and also manages backups.
Experts believe it was not a coincidence that REvil launched their attack just before the Fourth of July holiday weekend. They knew the U.S. offices would have a low staff. It is possible that many victims won't find out about it until Monday when they return to work. Voccola stated that most end users of managed services providers have no idea who their software is.
Kaseya stated that it sent a detection device to almost 900 customers Saturday night.
Allan Liska, an analyst at Recorded Future, stated that REvil offered to provide blanket encryption for all Kaseya victims in return for $70 million. This suggested it was unable to deal with the sheer volume of infected networks. Analysts reported that it demanded $45,000 for the majority of its targets, despite demands for $5 million and $500,000 for larger targets.
"This attack is much bigger than they expected, and it is getting lots of attention." Liska stated that REvil is motivated to quickly end the attack. This is a difficult problem to manage.
Emsisoft analyst Brett Callow said that he believes REvil hopes insurers will crunch the numbers to determine that $70 million is more affordable than prolonged downtime.
Ransomware gangs at the REvil level are skilled and will examine victims' financial records, as well as their insurance policies, from files they have stolen before activating ransomware. If the ransom is not paid, the criminals threaten to upload the stolen data online. This attack appears to have failed.
Dutch researchers said they alerted Kaseya in Miami to the breach. They also claimed that the criminals used "zero day", the industry term for an earlier unknown security hole in software. Voccola declined to confirm or provide details about the breach, except to say it wasn't phishing.
He said, "The level of sophistication was extraordinary."
Voccola stated that he is certain that Mandiant's investigation will prove that the criminals did not just break the Kaseya code by breaking into Kaseya's network, but also exploited third-party software vulnerabilities.
This was not the first ransomware attack that targeted managed service providers. The networks of 22 Texas cities were hampered by criminals in 2019. In a separate attack, 400 U.S. dentist practices were also crippled.
Victor Gevers, one of the Dutch vulnerability researchers said that his team is concerned about Kaseya’s VSA due to the complete control they have over the vast computing resources available. He wrote that "more and more products that are used for keeping networks safe and secure are showing structural weakness" in a Sunday blog post.
ESET, a cybersecurity company, identified victims in at least 17 countries, including the United Kingdom of South Africa, Canada and South Africa.
Kaseya claims the attack only targeted "on-premise" customers. This refers to organizations that have their own data centers. It does not include cloud-based services that provide software for customers. However, it also shut down these servers as a precaution.
Kaseya asked customers to immediately shut down VSA servers Friday and said that it would have a patch Sunday.
REvil has been active since April 2019. It offers ransomware as-a-service. This means that it creates and leases ransomware to its affiliates, who infect targets and make the largest share of ransoms. Officials from the United States say that ransomware gangs with the greatest potential are those based in Russia and other allied countries. They operate with Kremlin tolerance, sometimes colluding with Russian security forces.
Dmitri Aloperovitch, a Silverado Policy Accelerator think-tank cybersecurity expert, said that while he doesn't believe that the Kaseya attack was directed by the Kremlin, it does show that Putin has not "moved" to shut down cybercriminals.