Hackers Demand $70 Million in Far-Reaching Ransomware Attack

Hackers demanded $70 million in ransom to restore data stolen during an unprecedented cyberattack ahead of the US’s Independence Day Weekend. Russian-linked ransomware gang REvil (sometimes known as Sodinokibi) has claimed responsibility for the far-reaching attack on its dark web page.

A Massive Supply Chain Attack

The cyberattack — called a supply chain attack — compromised the systems of hundreds of companies across the globe. The ransomware gang set off a domino effect by first breaching Miami-based software firm Kaseya’s systems, then using Kaseya’s own software to inject its clients and their clients with ransomware.

Kaseya provides technology management software to managed service providers (MSPs). MSPs provide IT infrastructure to small businesses. When the hackers hijacked a tool called a Virtual Server Administrator (VSA ) — which MSPs use to manage and monitor their IT operations — they were able to spread their ransomware through a VSA update.

Kaseya said that the cyberattack was limited to its on-site VSA servers, and not its cloud-based services, which limited the cyberattack’s reach. Though the update with REvil’s ransomware only reached about 40 of Kaseya’s customers, the majority were MSPs. So the ransomware could have moved on to thousands of potential victims.

Kaseya Responds to Data Breach

Kaseya has been providing regular updates regarding the breach and the company’s response efforts. In a July 4 statement, Kaseya said: “Our security, support, R&D, communications, and customer teams continue to work around the clock in all geographies to resolve the issue and restore our customers to service.”

The software firm has advised its clients to keep all on-premises VSA services offline until the company has designated them safe for use again. Customers who have received communication from ransomware hackers were also warned to avoid clicking any links as they could be malicious and weaponized.

Kaseya provided a link to download a “Compromise Detection Tool,” which allows companies that suspect they’ve been compromised to analyze their systems.

White House Urges Companies to Report Breaches

Over the weekend, American President Joe Biden directed the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) to investigate the Kaseya hack and coordinate outreach to victims. The White House said that any victims that had been affected by the Kaseya attack should report it.

“We urge anyone who believes their systems have been compromised in the Kaseya ransomware incident to immediately report to the Internet Crime Complaint Center at https://www.IC3.gov. The FBI and CISA will reach out to identified victims to provide assistance based upon an assessment of national risk. We also urge you to immediately follow the guidance from Kaseya including shutting down your VSA servers and implementing CISA’s and FBI’s mitigation techniques,” the White House said in a statement.

Just the Latest REvil Victims

Kaseya and its clients and customers are just the latest in a trail of ransomware victims left in REvil’s wake. Just a few days before they announced their Independence Day weekend hack, the gang stole passports, driver’s licenses and social security cards from patients and employees at the University Medical Center in Las Vegas.

In a high-profile May attack, JBS Foods, one of the world’s largest meat suppliers, fell victim to a REvil ransomware attack and ended up reportedly paying $11 million in Bitcoin ransom.
Friday marked REvil’s highest initial ransom demand yet at $70 million. The group sought a ransom of $50 million in Bitcoin following a cyberattack on electronics giant Acer. REvil said it would double the ransom to $100 million if it wasn’t paid by late March. Acer hasn’t provided updates on whether the payment was made or not.