REvil, a ransomware organization located in Russia, took down the networks of over 200 US companies and demanded $70 million in Bitcoin.
The hack expanded to over 1 million workstations running Kaseya supply chain software.
To launch a sophisticated cyberattack, REvil targeted a zero-day vulnerability in Kaseya’s system.
REvil, also known as Ransomware Evil, has launched a large-scale ransomware attack against hundreds of businesses that use Kaseya VSA Managed Service Providers (MSPs). Given the cost of affected firms working around the encrypted data lost as a result of the attack, it is currently one of the most well-known cyberattacks in the world’s history.
REvil, also known as Sodinokibi, is a cybercriminal organization that provides private ransomware as a service (RaaS). REvil hires affiliates to distribute ransomware and divides the revenue from ransomware payments with them.
REvil launched an attack on end-user organizations employing Kaseya MSP providers on July 2. Kaseya’s IT Complete Product Suite and its family of companies, including Unitrends, RapidFire Tools, and Spanning Cloud Apps, provide industry-leading IT solutions.
Kaseya’s services are used by over 40,000 organizations throughout the world.
The attack did not directly target Kaseya’s MSPs; instead, it went against unnamed end-user businesses. The data of the target firms was encrypted, which included several small and medium-sized businesses that lacked the ability to run an IT infrastructure in-house.
So far, no company has revealed the extent of the data damage caused by this attack. According to John Hammon, a security researcher at Huntress, a US-based cybersecurity firm, the number of firms affected is certain to rise.
REvil has demanded a ransom of $70 million in Bitcoin from their victims in exchange for publicly decrypting their data within an hour, according to a post on the Happy Blog, the cybercriminal group’s blog.
Kaseya CEO Fred Voccola was cited as saying, “In response to REvil’s ownership of the attack,
Kaseya has done everything correctly. Once issue is rectified, we will receive a detailed report. We are quite lucky that this occurred over the Fourth of July weekend, when many of our customers are off. It would have been a much bigger calamity if this had happened during a typical work week.
Kaseya is currently supporting affected businesses in securing their systems by providing a patch for installation prior to restarting the VSA.
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have been collaborating with Kaseya and coordinating outreach to victims.
Although Bitcoin from REvil’s recent hack on the world’s largest meat-packer JBS S.A on May 30 was proven to have struck a darknet marketplace that only caters to Russian users, the attack has yet to be linked to the Russian government.
While the inquiry is ongoing, businesses can recover from the event by restoring their data from backup. However, this raises a data privacy concern, as REvil claims to have access to clients’ data, which they may disclose on their blog or sell on the darknet if they are not paid. Companies are left with only one option: pay the ransom and wait for REvil to unlock their data.
The world’s largest meat-packer, JBS S.A., was REvil’s most recent target, and they paid $11 million in Bitcoin as ransom to decrypt their data.
Because this is a sophisticated hack, the target companies have few options. The assault targeted a zero-day vulnerability, which means it was not generally recognized.
A software patch was created to correct this issue, according to the chair of the Dutch institute for Vulnerability Disclosure, but it has not yet been released to users. To protect themselves from similar attacks in the future and to secure their systems from zero-day vulnerability exploitation, firms would need a greater level of cybersecurity and technical sophistication.
According to cybersecurity experts and organizations, several companies have been accumulating Bitcoin to cover all their bases in the case of a large-scale attack since 2017./n
