Hackers ‘demand US$70 million’ after mass ransomware attack
- Latest mass attack impacts thousands of businesses around the world
- Russian-based hackers have been blamed for a string of ransomware attacks
The hackers suspected to be behind a mass ransomware attack that affected hundreds of companies worldwide demanded US$70 million to restore the data, according to a posting on a dark website.
The demand was posted on a site typically used by the REvil cybercrime gang, a Russia-linked group that is counted among the cybercriminal world’s most prolific extortionists.
The gang has an affiliate structure, occasionally making it difficult to determine who speaks on the hackers’ behalf, but Allan Liska of cybersecurity firm Recorded Future said the message “almost certainly” came from REvil’s core leadership.
REvil’s ransomware attack, which the group executed on Friday, was among the most dramatic in a series of increasingly attention-grabbing hacks.
The gang broke into Kaseya, a Miami-based information technology firm, and used their access to breach some of its clients’ clients, setting off a chain reaction that quickly paralysed the computers of hundreds of firms worldwide.
Cybersecurity experts swiftly blamed REvil for the attack. Sunday’s statement was the group’s first public acknowledgement that it was behind it.
REvil gang is best known for extorting US$11 million from the meat-processor JBS after a Memorial Day attack.
The FBI said it had opened an investigation along with the Cybersecurity and Infrastructure Security Agency and other US federal agencies “to understand the scope of the threat”.
“If you believe your systems have been compromised, we encourage you to employ all recommended mitigations, follow Kaseya’s guidance to shut down your VSA servers immediately and report to the FBI,” the bureau said in a statement Sunday, referencing the signature networking software that was attacked.
“Although the scale of this incident may make it so that we are unable to respond to each victim individually, all information we receive will be useful in countering this threat,” the FBI statement said.
“We’re not sure yet,” he said Saturday.
Ransomware attacks typically involve locking away data in systems using encryption, making companies pay to regain access.
Kaseya describes itself as a leading provider of IT and security management services to small and medium-sized businesses. VSA is designed to let companies manage networks of computers and printers from a single point.
The company said it was working “around the clock in all geographies” to get their systems working again.
They said they hoped to get a restricted version of their platform running again within days.
The disruption forced Swedish supermarket chain Coop Sweden to close on Saturday because their cash register system had been taken down in the attack.
John Hammond of Huntress Labs, one of the first cybersecurity firms to sound the alarm on the attack, said he’d seen US$5 million and US$500,000 demands by REvil for the decryptor key needed to unlock scrambled networks. The smallest amount demanded appears to have been US$45,000.
Active since April 2019, REvil provides ransomware-as-a-service, meaning it develops the network-paralysing software and leases it to so-called affiliates who infect targets and earn the lion’s share of ransoms.
The UN Security Council last week held its first formal public meeting on cybersecurity, addressing the growing threat of hacks to countries’ key infrastructure.
Several Security Council members acknowledged the grave dangers posed by cybercrime, notably ransomware attacks on major installations and companies.
Multiple US companies, including the computer group SolarWinds and the Colonial oil pipeline, have also recently been targeted by ransomware attacks.
Reuters, Agence France-Presse and Associated Press