Cybersecurity teams worked quickly on Sunday to mitigate the effects of the single largest worldwide ransomware attack on record, with some facts about how the Russia-linked gang behind the attack penetrated the company whose software was the conduit surfacing.
On Friday, an affiliate of the notorious REvil gang infected thousands of victims in at least 17 countries, largely through firms that remotely manage IT infrastructure for multiple customers, according to cybersecurity researchers. The REvil gang is best known for extorting $11 million from the meat-processor JBS after a Memorial Day attack.
According to the experts, REvil demanded up to $5 million in ransom. However, it offered a universal decryptor software key that would unscramble all afflicted PCs in exchange for $70 million in cryptocurrency in a statement on its dark web site late Sunday.
The FBI had previously stated in a statement that the size of the attack “may make it so that we are unable to respond to each victim individually” while investigating it. President Joe Biden had “directed the full resources of the government to examine this incident,” according to Deputy National Security Advisor Anne Neuberger, who also advised anyone who believes they have been compromised to contact the FBI.
If it is determined that the Kremlin is engaged in any way, Biden said on Saturday that the US will retaliate.
Biden asked Russian President Vladimir Putin less than a month ago to quit providing safe haven to REvil and other ransomware groups whose relentless extortionary strikes the US considers a national security concern.
According to cybersecurity firm Sophos, the current attack affected a wide range of organisations and government institutions across the globe, including those in financial services, travel and leisure, and the public sector – though few huge corporations. Criminals that use ransomware penetrate networks and plant software that cripples them by encrypting all of their data. When victims pay up, they are given a decoder key.
Because their cash register software supplier was crippled, the Swedish grocery giant Coop announced that most of its 800 locations will be closed for a second day on Sunday. A Swedish drugstore company, a petrol station chain, the state railway, and the Swedish public broadcaster SVT were all targeted.
According to the news agency dpa, an anonymous IT services business in Germany informed authorities that thousands of its customers had been infiltrated. VelzArt and Hoppenbrouwer Techniek, two large Dutch IT services companies, were also reported as victims. The majority of ransomware victims do not publicly report assaults or reveal whether or not they have paid ransoms.
The number of victims, according to Kaseya CEO Fred Voccola, is in the low thousands, with most of the victims being small enterprises such as “dental clinics, design firms, plastic surgery facilities, libraries, and things like that.”
In an interview, Voccola stated that only 50-60 of the company’s 37,000 clients were affected. However, managed service providers, who utilise the company’s compromised VSA software to manage multiple customers, accounted for 70% of the total. It organises backups and other critical operations as well as automates the installation of software and security upgrades.
Experts believe it was no coincidence that REvil attacked at the start of the Fourth of July holiday weekend, knowing that US offices would be understaffed. Many victims may not learn about it until Monday when they return to work. According to Voccola, most end users of managed service providers “have no idea” whose software keeps their networks running.
On Saturday night, Kaseya said it delivered a detection tool to approximately 900 clients.
According to Allan Liska, an expert with the cybersecurity firm Recorded Future, REvil’s offer of blanket decryption for all victims of the Kaseya attack in exchange for $70 million revealed the company’s incapacity to cope with the enormous volume of compromised networks. Although analysts reported seeing demands of $5 million and $500,000 for larger targets, it appears that the majority of targets were only asking for $45,000.
“This attack is far larger than they anticipated, and it is attracting a lot of media attention. “It’s in REvil’s best interests to get this over with as soon as possible,” Liska explained. “It’s a nightmare to deal with.”
Emsisoft analyst Brett Callow believes REvil is expecting insurers will analyse the arithmetic and decide that the $70 million is cheaper than lengthy downtime.
Before launching the ransomware, sophisticated ransomware gangs of REvil’s level frequently review a victim’s financial information — and insurance policies if they can locate them — from files they steal. The crooks then threaten to post the stolen information on the internet unless they are paid. That does not appear to have happened in this attack.
The attackers utilised a “zero day,” the industry term for a previously undiscovered security flaw in software, according to Dutch experts who informed Miami-based Kaseya of the intrusion. Voccola wouldn’t confirm it or give any details about the incident, other than to state it wasn’t phishing.
He said, “The level of sophistication here was remarkable.”
When the cybersecurity firm Mandiant completes its investigation, Voccola believes it will prove that the crooks not only violated Kaseya code but also used flaws in third-party software in breaking into his network.
It wasn’t the first time ransomware used managed services companies. Through one, crooks crippled the networks of 22 Texas towns in 2019. In the same year, a separate attack devastated 400 dental practises in the United States.
Victor Gevers, a Dutch vulnerability researcher, said his group is concerned about technologies like Kaseya’s VSA because of the entire control over massive computer resources they can provide. “A growing number of the devices used to keep networks safe and secure are revealing structural flaws,” he wrote in a blog post on Sunday.
At least 17 countries have been identified as victims, including the United Kingdom, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand, and Kenya, according to cybersecurity firm ESET.
According to Kaseya, the attack only impacted “on-premise” customers, or companies that manage their own data centres, rather than its cloud-based services, which run software for customers. It did, however, take down certain servers as a precaution.
Kaseya, which advised customers to shut down their VSA servers immediately on Friday, said Sunday that a patch would be available in the coming days.
REvil has been active since April 2019 and offers ransomware-as-a-service, which means it creates network-paralyzing software and leases it to so-called affiliates who infect targets and collect the majority of the ransoms. The most powerful ransomware gangs, according to US sources, are based in Russia and allied states, operate with Kremlin tolerance, and occasionally coordinate with Russian security services.
While Dmitri Alperovitch of the Silverado Policy Accelerator think tank does not believe the Kaseya attack was orchestrated by the Kremlin, he believes it demonstrates that Putin “has not yet moved” on shutting down cybercriminals.