Today's Kaseya VSA ransomware attack is the largest in history. More details have been revealed about the Russia-linked gang's attack on the company that was the conduit.
Cybersecurity researchers discovered that an affiliate from the notorious REvil Gang infected thousands across at least 17 countries Friday. This group is most well-known for extorting $11 million from JBS meat-processor JBS in a Memorial Day Attack. Most of the victims were connected to companies that manage multiple clients' IT infrastructure remotely.
REvil demanded ransoms up to $5 million. REvil also posted on its darkweb page a universal key that would unlock all machines affected. It offered $70 million in cryptocurrency as an exchange.
Sweden was either the most affected or the least affected by the attack. Peter Hultqvist, the defense minister of Sweden, lamented Monday that the attack had "serious attacked basic functions" within the Swedish society. "
He stated in a television interview that it showed how fragile and unsecure the IT security system was. Coop, a Swedish grocery chain, had 800 stores and was shut down for the weekend because of problems with their cash register software supplier.
Sophos, a cybersecurity company, said that a wide range of public and private agencies were affected. These affected included government, financial, travel, leisure and government sectors. However, these companies were relatively small.
Ransomware criminals hack into network networks and install malware to lock down computers. Victims will be given a decoder key.
According to DPA, a German IT service provider claimed that thousands of customers were compromised by ransomware.
The FBI's Sunday statement indicated that they were investigating the attack and that the magnitude of the attack "may make it impossible to respond to each victim individually." Anne Neuberger, Deputy National Security Advisor, released a statement saying that President Joe Biden had "directed all resources of government to investigate the incident." She also advised anyone who believes they have been compromised to contact FBI.
Biden suggested that the U.S. take action if the Kremlin was implicated. Biden asked Vladimir Putin to stop giving shelter to REvil and other ransomware criminal groups that are relentless in their extortionary attacks.
Dmitry Peskov, a spokeswoman for Putin, asked Monday if Russia knew about the attack or had looked into it. He said no, but suggested that the matter could be discussed by the U.S.A. with Russia in consultations on cybersecurity issues.
Experts agree that the timing of REvil's attack at the start of the Fourth-of-Jul holiday weekend was not accidental. He knew that the U.S. would be short staffed and many victims may not learn of this until Monday or Tuesday.
Fred Voccola is Kaseya's CEO. He stated that many end-users of managed service providers don’t know who their software is.
He stated that victims were mostly small businesses such as architecture firms and dental practices.
Voccola stated that 50-60% of the 37,000 customers of the company were affected.
Kaseya claimed it sent a detection device to almost 900 customers on Saturday night.
Allan Liska of Recorded Future stated that REvil offered to all Kaseya attackers decrypt their networks for $70million. This suggested that it was not able to handle the sheer volume of infected systems.
Kevin Reed of Acronis said that the offer to decrypt the universal key would be a publicity stunt since no human intervention would be required to pay the $45,000 ransom. Analysts claim that the demand for a universal decryptor was sent to the majority of targets. Negotiation would be required.
Emsisoft analyst Brett Callow said that REvil wants to convince insurance companies to crunch the numbers to determine if $70 million is more expensive than extended downtime.
At REvil's level the most advanced ransomware gangs will review victims' financial records and insurance policies. They also steal files before activating ransomware.
The breach was discovered by Dutch researchers who claimed to have alerted Kaseya (Miami-based) about it. They claimed that the criminals used zero-day, an industry term that refers to an unsolved security gap in the software. Voccola declined to confirm the breach or provide details other than to say that it wasn't phishing.
He said, "The level of sophistication and the quality of the here was extraordinary." He stated, "The level and sophistication of the here was exceptional."
This wasn't the first ransomware attack to exploit managed service providers. In fact, another attack on 400 U.S. dentist offices was also carried out that year.
REvil, which is active since April 2019, offers ransomware-as-a-service. It creates ransomware-as-a-service and leases it to its affiliates who infect targets and collect most of the ransoms. Officials claim that Russia and other allied countries are home to the most powerful ransomware organizations. They are open to Russian tolerance and may collaborate with Russian security agencies.