A subsidiary of the infamous REvil gang, best known for extorting $ 11 million from international meat processor JBS this spring, infected the computers of thousands of victims in at least 17 countries on Friday, mostly through companies that remotely manage IT infrastructure for multiple clients, cyber researchers said. security.
REvil originally demanded ransoms of up to five million dollars from everyone, but last night it announced that a universal decryption software key that would free all affected machines would be given in exchange for a total of 70 million dollars in cryptocurrency. It is not clear when he is expected to pay for it.
Sweden is perhaps the most affected by the attack, or at least it has made it most transparent. Her defense minister, Peter Hultkvist, called it a “serious attack on the basic functions of Swedish society” today. “It shows how fragile the system is in terms of IT security and that you have to constantly work on developing defense capabilities,” he said. Most of the Swedish food chain “Coop’s” with 800 stores was closed all weekend because their supplier of cash register software was hit by the attack. The shops are still closed today. The Swedish pharmacy chain, the gas station chain, the state railway and the public broadcaster SVT were also affected.
A wide range of businesses and public services were affected, including financial services, travel and leisure and the public sector, although only a few large companies, cybersecurity company Sophos reported. Cyber security firm ESET has identified victims including the United Kingdom, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand and Kenya.
The kidnappers infiltrate the networks and sow “malware” that mutilates them, encrypting all their data, making them unusable. Victims only get the decoder key when they pay.
In Germany, an IT services company told authorities that several thousand of its customers were at risk, the DPA news agency reported. Among the reported victims were two large Dutch IT services companies VelzArt and Hoppenbrouver Techniek. Most victims do not report attacks publicly and do not disclose whether they paid ransom.
On Sunday, the FBI said that while investigating the attack, its scale “may be such that we will not be able to respond to each victim individually.” U.S. Deputy State Security Adviser Ann Neuberger said President Joseph Biden “directed all state resources to investigate this case” and called on anyone who felt threatened to report it to the FBI.
Biden hinted on Saturday that the United States would respond if the Kremlin was found to be involved. Less than a month ago, Biden pressured Russian President Vladimir Putin to stop providing refuge to REvil and other “rensomver” gangs whose relentless extortion attacks the United States considers a threat to state security.
Today, Putin’s spokesman Dmitry Peskov answered in the negative when asked whether Russia is aware of the attack or has investigated it. He hinted that the United States and Russia could discuss this at the consultations on cyber security issues, for which it was not stated when.
Experts say that it is not by chance that REvil launched an attack at the beginning of the holiday weekend in the USA, on July 4, knowing that American offices will have few staff and that many victims will find out about it only on Monday or Tuesday.
Most end users “have no idea” whose software maintains their networks, said CEO Fred Vokola of the afflicted software company Kaseya.
He estimated the number of victims at several thousand, mostly small companies such as “dental offices, architectural firms, plastic surgery centers, libraries and the like.”
Vokola said that only between 50-60 of his company’s 37,000 clients were endangered. But 70 percent are service providers that use the company’s hacked VSA software to manage many other clients. This software automates the installation of software updates and malware detection and manages backups and other vital tasks.
“Kaseya” said it sent an attack detection tool to nearly 900 addresses on Saturday night.
REvil’s offer to offer decryption to all victims of the Kaseya attack in exchange for $ 70 million indicates the gang’s inability to deal with the huge number of infected clients, said Alan Liska, a cybersecurity analyst at Recorded Future.
But Kevin Reed of Acronis said the universal descriptor’s offer could be a “PR stunt,” as it would not require human participation to pay a basic ransom demand of at least $ 45,000 that was apparently sent to the vast majority of targets. Analysts reported that there are requests for five million and 500,000 dollars for larger goals, which would require negotiations.
Emsisoft analyst Brett Kellow said he suspected that REvil hoped insurers could determine that it would pay more to pay a total of $ 70 million than that the attacked companies would not work for a long time.
Sophisticated “rensomver” gangs such as “REvil” usually examine the victim’s financial records and insurance policies if they can find them in files they steal before activating the “rensomver”. Then the criminals threaten to publish the stolen data if they are not paid, although in this case it does not seem to have happened. But this attack has obviously attacked the core of the system. “REvil” seems to have only coded victim data.
Dutch investigators said they alerted Kaseya, a Miami-based company, to the intrusion and said criminals used the “zero day” technical name of a previously unknown “security hole” in the software.
In 2019, criminals broke into the networks of 22 municipalities in Texas through one network. That same year, 400 U.S. dental offices were maimed in a second attack.
Active since April 2019, “REvil” offers a ransom as a service, which means that it develops software that pavers the network and leases it to so-called affiliates that infect targets and earn the lion’s share of ransoms. U.S. officials say the most powerful gangs of buyers are based in Russia and its allies and act with tolerance from the Kremlin and sometimes in collusion with Russian security services.