Kaseya Ransomware Attack: Hackers Demand $70 Million for Joint Ransom

Key Takeaways

  • Russian cyber gang REvil compromised Kaseya, a software company, and spread through their customers via a supply-chain attack

  • REvil sent varying ransom amounts to victims before posting a joint ransom on its dark website

  • This attack comes just a few weeks after President Biden pressed Putin to start cracking down on Russian cyber crime 

Potentially the largest ransomware attack on record

Over the Fourth of July holiday weekend, Kaseya Ltd., a Miami-based company that provides software to help other businesses manage their networks, was hit by a sprawling ransomware attack that could prove to be the biggest in history. 

It is already the largest number of companies hit by a single ransomware attack, with the number currently in the low thousands and climbing. The next contender for the single largest ransomware attack could only be the infamous WannaCry computer worm in 2017 that affected hundreds of thousands of people; the NSA eventually linked the creation of the worm to the North Korean government. This makes the Kaseya attack easily the largest non-nation-state attack that we have ever seen. 

The companies affected by the attack include a wide range of small to large businesses that use managed IT services. Kaseya also serves a number of state and local governments as customers. CEO of Kaseya, Fred Voccola, said the affected businesses include "dental practices, architecture firms, plastic surgery centers, libraries, things like that".

A major grocery chain in Sweden said Saturday that its IT provider had been hit by an attack and that its cash registers were locked up. The company, Coop Sweden, said on its Facebook page that It had to shut down hundreds of stores.

What we know about how this happened

The hackers targeted Kaseya’s virtual systems/server administrator (VSA), a type of software that large companies and technology-service providers use to manage and send out software and security updates to systems on computer networks. By targeting Kaseya’s VSA, the hackers were able to open the door to infect more computers in what is known as a supply-chain attack. Only about 50 of Kaseya’s 40,000 immediate customers were compromised; unfortunately about 40 of those 50 customers were sellers of information-technology services, which potentially let the hackers reach more victims. Ransomware is historically underreported and the fact that it happened over a long holiday weekend means we might not know the total number of victims for a while.

The Russian cyber criminal gang REvil has claimed responsibility for the attack.  REvil, the same group that was behind the attack on meat processor JBS, posted the ransom demand on a dark-Web site associated with the group.

Active since April 2019, REvil provides ransomware-as-a-service, meaning it develops the network-paralyzing software and leases it to so-called affiliates who infect targets and earn the majority of the ransoms. U.S. officials say the most potent ransomware gangs are based in Russia and allied states and operate with Kremlin tolerance and sometimes collude with Russian security services.

Experts say it was no coincidence that REvil launched the attack at the start of the Fourth of July holiday weekend, knowing U.S. offices would be lightly staffed.

Dutch researchers say the criminals were able to distribute ransomware by exploiting a "zero day" vulnerability, the industry term for a previously unknown security hole in software. Apparently, the Dutch team had identified the vulnerability in the code before the attack happened and were working with Kaseya to patch it, but the hackers were able to find and exploit the vulnerability quicker than they could patch it. 

“During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched,” researcher Victor Gevers wrote in a blog post Sunday. “They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”

 

The Ransom

Varying ransoms have been sent to the affected businesses, $5 million for bigger targets, and $50,000 for smaller businesses. “This attack is a lot bigger than they expected and it is getting a lot of attention. It is in REvil's interest to end it quickly," said Allan Liska, a researcher with the cybersecurity firm Recorded Future. "This is a nightmare to manage."

Analysts believe that the unexpected scale of the attack led REvil to offer a simpler solution, a joint ransom; REvil posted on its dark web site a universal decryptor software key that would unscramble all affected machines in exchange for $70 million in cryptocurrency. REvil is hoping that the insurance companies for all affected businesses will do the math and realize that $70 million is less than the losses of all those companies being down for an extended period. 

The FBI said in a statement that while it was investigating the attack its scale "may make it so that we are unable to respond to each victim individually." Deputy National Security Advisor Anne Neuberger later issued a statement saying President Joe Biden had "directed the full resources of the government to investigate this incident" and urged all who believed they were compromised to alert the FBI.

Escalating tensions between the U.S. and Russia

This cyber attack could increase tensions between the U.S. and Russia, as it comes just weeks after President Biden met with Russian President Vladimir Putin in Geneva, warning him that the United States would hold Moscow accountable for cyberattacks that originate in Russia. Biden pressed Russian President Vladimir Putin to stop giving safe haven to REvil and other ransomware gangs who often target  the U.S.

On Monday, Putin spokesman Dmitry Peskov was asked if Russia was aware of the attack or had looked into it. He said no, but suggested it could be discussed by the U.S. and Russia in consultations on cybersecurity issues for which no timeline has been specified.

Kaseya had all 40,000 of its customers go offline until they could better understand what was happening. Kaseya announced on Sunday that it is patching the vulnerability and its remaining unaffected customers should be able to get back online in a few days.