A Russia-linked gang is now demanding $70 million to end the ransomware attack. Rafael Henrique/SOPA Images/LightRocket via Getty Images
A Russia-linked gang infected thousands across the globe and is now demanding $70 million to end what many are calling the biggest ransomware attack on record.
CNN reported this morning that cybersecurity teams are “working feverishly” to deal with the impact of an affiliate of the infamous gang known as REvil. The affiliate “infected thousands of victims in at least 17 countries on Friday,” mainly through “firms that remotely manage IT infrastructure for multiple customers,” cybersecurity researchers told CNN.
The researchers added that while REvil was demanding ransoms of up to $5 million, it posted on the dark web late Sunday night saying it would “unscramble all affected machines in exchange for $70 million in cryptocurrency.”
The attack exploited IT management software Kaseya right at the beginning of the long Fourth of July weekend, meaning that many more victims across the United States may report in coming days as they return to the office. However, The Associated Press highlights that Sweden may have been the country most impacted by the attack considering its transparency on the matter: Its defense minister, Peter Hultqvist, called the situation “a serious attack on basic functions in Swedish society” in a TV interview, reports The AP.
Swedish grocery chain Coop had to close down most of its 800 stores due to the attack’s impact on the chain’s cash register software supplier. The country also saw pharmacy and gas station chains hit, as well as its state railway and public broadcaster SVT.
“It shows how fragile the system is when it comes to IT security and that you must constantly work to develop your ability to defend yourself,” Hultqvist added.
As Wired highlights, the attack is also a “watershed moment” due to its combo of ransomware and a supply chain attack: The hackers targeted a vulnerability they found in Kaseya’s update mechanism and wove REvil’s ransomware into Kaseya’s trusted distribution mechanism. In other words, Kaseya essentially unknowingly spread the malware to its own customers (managed service providers, or MSPs).
“What’s interesting about this, and concerning, is that REvil used trusted applications in every instance to get access to targets. Usually ransomware actors need multiple vulnerabilities at different stages to do that or time on the network to uncover administrator passwords,” Sophos senior threat researcher Sean Gallagher told Wired. “This is a step above what ransomware attacks usually look like.”
The Dutch Institute for Vulnerability Disclosure’s Wietse Boonstra had been working with Kaseya to develop and test patches for the flaw shortly before the attack, but hadn’t yet deployed them before REvil’s attack, Wired reports.
“We did our best, and Kaseya did their best,” Victor Gevers, a researcher from the Dutch Institute for Vulnerability Disclosure, told Wired. “It is an easy-to-find vulnerability, I think. This is most likely the reason why the attackers won the end sprint.”