BOSTON (AP) – Cyber security teams worked feverishly on Sunday to contain the effects of the largest global ransomware attack ever, with some details being revealed about how the Russian-affiliated gang broke through the company whose software was the channel.
A member of the infamous REvil gang, best known for extorting $ 11 million from meat processor JBS after an attack on Memorial Day, infected thousands of victims in at least 17 countries on Friday, mostly through companies that operate IT – Remotely manage infrastructure for multiple customers. Cyber security researchers said.
REvil was demanding ransom of up to $ 5 million, the researchers said. But late Sunday, in a post on its dark website, it offered a universal decryption software key that would decrypt all affected machines in exchange for $ 70 million in cryptocurrency.
Previously, the FBI said in an explanation that while investigating the attack, its magnitude could result in our inability to respond to each victim individually. Assistant National Security Advisor Anne Neuberger later issued a statement saying President Joe Biden had “directed all government resources to investigate this incident,” and urged anyone who believed they were compromised to turn to the FBI alert.
Biden suggested Saturday the US would react if the Kremlin was found to be involved at all.
Less than a month ago, Biden urged Russian President Vladimir Putin, REvil and other ransomware gangs to do theirs relentless extortionate attacks the US sees a national security threat.
A wide range of businesses and government agencies have been hit by the latest attack, apparently on every continent, including financial services, travel and leisure, and the public sector – albeit a few large corporations, cybersecurity firm Sophos reported. Ransomware criminals infiltrate networks and sow malware that cripples them by encrypting all of their data. Victims receive a decoder key when they pay.
Swedish grocery chain Coop said most of its 800 stores would be closed for a second day on Sunday because their cash register software provider was paralyzed. A Swedish pharmacy chain, petrol station chain, the state railway and the public broadcaster SVT were also hit.
In Germany, an unnamed IT service provider informed the authorities that several thousand of its customers had been compromised, the news agency dpa reported. The reported victims also included two large Dutch IT service companies – VelzArt and Hoppenbrouwer Techniek. Most ransomware victims do not publicly report attacks or reveal whether or not they have paid a ransom.
Fred Voccola, CEO of the hacked software company Kaseya, estimated the number of victims to be a few thousand, mostly small businesses such as “dental practices, architecture firms, plastic surgery centers, libraries and the like”.
Voccola said in an interview that only between 50-60 of the company’s 37,000 customers have been compromised. But 70% were managed service providers using the company’s hacked VSA software to manage multiple customers. It automates the installation of software and security updates and manages backups and other important tasks.
Experts say it was no coincidence that REvil launched the attack at the beginning of the July 4th holiday weekend, knowing the US offices would be sparsely manned. Many victims may not find out about this until they get back to work on Monday. Most managed service provider end users “have no idea” whose software is keeping their networks running, Voccola said.
Kaseya said it sent a detection tool to nearly 900 customers on Saturday night.
REvil’s offer to offer flat-rate decryption to all victims of the Kaseya attack in exchange for $ 70 million indicated its inability to cope with the sheer volume of infected networks, said Allan Liska, an analyst at cybersecurity firm Recorded Future . Although analysts reported seeing claims of $ 5 million and $ 500,000 for larger goals, most apparently were calling for $ 45,000.
“This attack is much bigger than expected and is attracting a lot of attention. It’s in REvil’s interest to finish it quickly, ”Liska said. “This is a nightmare to overcome.”
Emsisoft analyst Brett Callow said he suspects REvil is hoping insurers will crack the numbers and find that $ 70 million is cheaper for them than prolonged downtime.
Sophisticated REvil-level ransomware gangs usually examine a victim’s financial records – and insurance policies if they can find them – from files they steal before activating the ransomware. The criminals then threaten to dispose of the stolen data online if it is not paid. That doesn’t seem to have happened in this attack.
Dutch researchers said they brought the breach to the attention of Miami-based Kaseya and said the criminals used a “zero day,” the industry term for a previously unknown vulnerability in the software. Voccola would neither confirm nor provide details of the violation – except to say that it was not phishing.
“The level of sophistication here has been exceptional,” he said.
When cybersecurity firm Mandiant completes its investigation, Voccola is confident it will show that the criminals not only breached Kaseya’s code in breaking into its network, but also exploited vulnerabilities in third-party software.
It wasn’t the first ransomware attack to exploit managed service providers. In 2019, criminals hindered the networks of 22 Texas parishes through a. The same year 400 US dental offices were crippled in a separate attack.
One of the Dutch vulnerability researchers, Victor Gevers, said his team is concerned about products like Kaseya’s VSA because they have complete control over the huge computing resources that they can offer. “More and more products with which networks are supposed to be secure and protected have structural weaknesses,” he wrote on a blog on Sunday.
Cyber security company ESET identified victims in at least 17 countries including the UK, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand and Kenya.
According to Kaseya, the attack only affected “on-premise” customers, i.e. companies that operate their own data centers, as opposed to its cloud-based services that run software for customers. However, it shut down these servers as a precautionary measure.
Kaseya, who asked customers on Friday to shut down their VSA servers immediately, said on Sunday they hope to have a patch in the next few days.
REvil has been active since April 2019 and offers ransomware-as-a-service, i.e. it develops the network-crippling software and rents it to so-called affiliates who infect targets and earn the lion’s share of the ransom money. US officials say the most powerful ransomware gangs are based in Russia and allied states, and operate with the tolerance of the Kremlin and sometimes collaborate with Russian security services.
Cybersecurity expert Dmitri Alperovitch of the Silverado Policy Accelerator think tank said that while he doesn’t believe Kaseya’s attack is being led by the Kremlin, he shows that Putin “has not done anything” to shut down cyber criminals.
#Details #massive #ransomware #attack #emerge #holiday #weekend