Kaseya Ransomware Attack: USD 70 Million Demanded by REvil

Jul 8, 2021
4 min read

Introduction

The hacker group suspected to be the mastermind behind the world's biggest ransomware attack demanded 70 million dollars to restore the data they are holding. This demand was posted on a dark website that Russian-linked cybercrime gang REvil typically uses while the group allegedly broke into a US IT firm "Kaseya". Over the weekend, access was used to breach Kaseya's network of clients involving hundreds of companies worldwide. Schools, organizations, and credit unions are all being badly affected by this attack. Experts believe that there are victims in at least 17 countries, including the US and Germany. Kaseya has hired a cybersecurity vampire eye to deal with the attack.

Last month, REvil extorted 11 million dollars from the world's largest meat processing company JBS.

Kevin Reed, Chief Information Security Officer, Acronis, stated, "I don't really think that REvil gang expects this demand to be fulfilled because for one they somehow need to collect it from multiple organizations or from multiple insurers that are insuring those organizations or they really need to have one large organization or potentially a government that would back such large payment."

Impact of The Attack

A wide range of organizations and government entities were impacted, including those in financial services and travel. According to studies, several countries including, the United Kingdom, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand, and Kenya were affected. Kaseya, a leading IT firm, took most of this attack's hit. According to the senior executive of American IT firm Kaseya, up to 1,500 firms worldwide have been hit by the largest ransomware attack in history. The attack was carried out using software built by the corporation as a conduit by Russian-linked hackers.

Kaseya is a software provider for IT outsourcing agencies, which often undertake back-office work for businesses that are too small or under-resourced to establish their own IT departments. The hackers, who are thought to be related to the notorious REvil organization, exploited Kaseya's VSA software, allowing businesses to monitor their computer systems remotely.

Revil Criminals Demand $70 Million Ransom For The Global Decryption Key

While research has indicated that ransom demands of $45,000 for each encrypted machine that is not 'domain-joined and $5 million for an entire domain, REvil quickly changed track on the higher figure. Some of the conversations with REvil have been viewed by Bleeping Computer, and one victim with a dozen encrypted extensions was told to pay a $500,000 ransom.

"Make no mistake, the timing and target of this attack are no coincidence. It illustrates what we define as a Big Game Hunting attack," Adam Meyers, senior vice president of CrowdStrike Intelligence, said, "launched against a target to maximize impact and profit through a supply chain during a holiday weekend when business defenses are down. What we are seeing now in terms of victims is likely just the tip of the iceberg."

In Sweden, for example, when the checkouts at the Swedish Coop's 800 supermarkets stopped operating, the company was forced to close up to 500 of its stores. Now, the REvil group is demanding $70 million in bitcoin in exchange for a "universal decryptor" that will return users' access.

Kaseya's Response To The Attack

According to the company, the REvil ransomware assault last week affected fewer than 60 of Kaseya's customers and up to 1,500 of its clients.

According to the software company, all Kaseya customers who were hacked were utilizing the VSA on-premises solution, which provides remote IT management products to managed service providers (MSPs).

The supply chain assault began on July 2, when threat actors controlled VSA servers and distributed malicious updates to MSP customers. Kaseya stated it has presented no trace that any SaaS customers were directly impacted.

"The attackers were able to circumvent authentication and run arbitrary commands by exploiting zero-day vulnerabilities in the VSA software. The attackers were able to use the typical VSA product capabilities to distribute ransomware to endpoints as a result," according to the incident report. "There is no evidence that Kaseya's VSA codebase has been updated maliciously."

Kaseya claimed in a statement on Tuesday that the REvil attacks had "minimal impact." However, the company claims that the compromised Kaseya customers only affected about 1,500 "downstream businesses" or MSP clients. It's unclear whether these 1,500 businesses were just hacked or had their data locked by ransomware.

President Biden has previously stated that his initial thoughts are that "it was not the Russian government," but that he isn't certain and that US intelligence services have been asked to investigate. Given that we are dealing with a criminal gang rather than a state-sponsored espionage squad, this could backfire for REvil. Furthermore, while it is known that REvil's operators are Russian-speaking, this does not imply that REvil is based in Russia or is in any way protected by the Russian government.

The US Cybersecurity and Infrastructure Security Agency (CISA) has offered advice to MSPs and consumers who have been impacted by the ransomware attack. Kaseya provides updates here after behaving excellently under the duress of such an incident by swiftly shutting down services to minimize more damage and do so in a transparent manner.

Conclusion

Kaseya CEO Fred Voccola said his company worked fast to mitigate and contain the attack by collaborating with the Department of Homeland Security, FBI, and White House and private-sector partners in a video statement to customers. While the supply chain attack only affected a tiny percentage of Kaseya's 35,000 customers, he acknowledged the widespread impact the breaches had on small and medium-sized businesses.

He said that in response to the REvil assaults, Kaseya is adopting a careful approach to restore all systems and services. VSA on-premises clients will receive a security patch, which the business is presently testing and validating. After SaaS servers are brought back up, the fix is scheduled to be issued within 24 hours; Kaseya, which shut down its SaaS servers as a precaution, is expected to deploy the patch within 24 hours.

Assuming REvil's ransomware assault has infected hundreds of businesses, the issue now becomes "how many simultaneous negotiations REvil can handle, and whether firms that wish to pay will encounter delays."