FILE – This February 23, 2019 file photo shows the inside of a computer in Jersey City, NJ. A ransomware attack crippled the networks of at least 200 US companies on Friday, July 2, 2021, according to a cybersecurity researcher whose company responded to the incident. (AP Photo / Jenny Kane, File)
AP
BOSTON
Cybersecurity teams worked feverishly on Sunday to contain the effects of the largest global ransomware attack ever, with some details being revealed about how the Russian-affiliated gang broke through the company whose software was the channel.
A member of the infamous REvil gang, best known for extorting $ 11 million from meat processor JBS after an attack on Memorial Day, infected thousands of victims in at least 17 countries on Friday, mostly through companies that operate IT – Manage infrastructure for multiple customers remotely. Cyber security researchers said.
REvil has requested up to $ 5 million in ransom, the researchers said. But late Sunday, in a post on its dark website, it offered a universal decryption software key that would decrypt all affected machines in exchange for $ 70 million in cryptocurrency.
The FBI had previously said in a statement that while it was investigating the attack, its scale “could result in our being unable to respond to each victim individually.” Assistant National Security Advisor Anne Neuberger later issued a statement saying President Joe Biden had “directed all government resources to investigate this incident,” and urged anyone who believed they were compromised to turn to the FBI alert.
Biden suggested on Saturday that the US would react if the Kremlin is found to be involved at all.
Less than a month ago, Biden urged Russian President Vladimir Putin, REvil and other ransomware gangs whose relentless extortionate attacks the US see as a threat to national security to no longer give a safe haven.
A wide range of businesses and government agencies have been hit by the latest attack, apparently on every continent, including financial services, travel and leisure, and the public sector – albeit a few large companies, cybersecurity firm Sophos reported. Ransomware criminals infiltrate networks and sow malware that cripples them by encrypting all of their data. Victims receive a decoder key when they pay.
Swedish grocery chain Coop said most of its 800 stores would be closed for a second day on Sunday because their cash register software provider was paralyzed. A Swedish pharmacy chain, petrol station chain, the state railway and the public broadcaster SVT were also hit.
In Germany, an unnamed IT service provider informed the authorities that several thousand of its customers had been compromised, the news agency dpa reported. The reported victims also included two large Dutch IT service companies – VelzArt and Hoppenbrouwer Techniek. Most ransomware victims do not publicly report attacks or reveal whether or not they have paid a ransom.
Fred Voccola, CEO of the hacked software company Kaseya, estimated the number of victims at a few thousand, mostly small businesses such as “dental offices, architecture firms, plastic surgery centers, libraries, etc.”
Voccola said in an interview that only between 50-60 of the company’s 37,000 customers were compromised. But 70% were managed service providers using the company’s hacked VSA software to manage multiple customers. It automates the installation of software and security updates and manages backups and other important tasks.
Experts say it was no coincidence that REvil launched the attack at the beginning of the July 4th holiday weekend, knowing the US offices would be sparsely manned. Many victims may not find out about this until they get back to work on Monday. Most managed service provider end-users “have no idea” whose software is keeping their networks running, Voccola said.
Kaseya said it sent a detection tool to nearly 900 customers on Saturday night.
REvil’s offer to offer flat-rate decryption to all victims of the Kaseya attack in exchange for $ 70 million indicated its inability to cope with the sheer volume of infected networks, said Allan Liska, an analyst at cybersecurity firm Recorded Future . Although analysts reported seeing claims of $ 5 million and $ 500,000 for larger goals, most apparently were calling for $ 45,000.
“This attack is much bigger than they expected and it is attracting a lot of attention. It’s in REvil’s interest to finish it quickly, ”Liska said. “This is a nightmare to overcome.”
Emsisoft analyst Brett Callow said he suspects REvil is hoping insurers will crack the numbers and find that $ 70 million is cheaper for them than prolonged downtime.
Sophisticated REvil-level ransomware gangs usually examine a victim’s financial records – and insurance policies if they can find them – from files they steal before activating the ransomware. The criminals then threaten to dispose of the stolen data online if it is not paid for. That doesn’t seem to have happened in this attack.
Dutch researchers said they alerted Miami-based Kaseya to the breach and said the criminals used a “zero day,” the industry term for a previously unknown vulnerability in software. Voccola would neither confirm nor provide details of the violation – except to say that it was not phishing.
“The level of sophistication here has been exceptional,” he said.
When cybersecurity firm Mandiant finishes its investigation, Voccola is confident it will show that the criminals not only breached the Kaseya Code by breaking into its network, but also exploited vulnerabilities in third-party software.
It wasn’t the first ransomware attack to exploit managed service providers. In 2019, criminals hindered the networks of 22 Texan communities through a. In the same year, 400 U.S. dental practices were paralyzed in a separate attack.
One of the Dutch vulnerability researchers, Victor Gevers, said his team is concerned about products like Kaseya’s VSA because they have complete control over the huge computing resources they can offer. “More and more products with which networks are supposed to be secure and protected have structural weaknesses,” he wrote on a blog on Sunday.
Cyber security company ESET identified victims in at least 17 countries including the UK, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand and Kenya.
According to Kaseya, the attack only affected “on-premise” customers – companies that operate their own data centers, as opposed to its cloud-based services that run software for customers. However, it shut down these servers as a precautionary measure.
Kaseya, who asked customers on Friday to shut down their VSA servers immediately, said on Sunday they hope to have a patch in the next few days.
REvil has been active since April 2019 and offers ransomware-as-a-service, i.e. it develops the network-crippling software and rents it to so-called affiliates who infect targets and earn the lion’s share of the ransom. US officials say the most powerful ransomware gangs are based in Russia and allied states, and operate with the tolerance of the Kremlin and sometimes collaborate with Russian security services.
Cybersecurity expert Dmitri Alperovitch of the Silverado Policy Accelerator think tank said that while he doesn’t believe Kaseya’s attack is being led by the Kremlin, it shows that Putin “has not done anything” to shut down cyber criminals.
