Three days after ransomware attackers The holiday weekend began with the Kaseya VSA being compromised, we have a clearer idea of how far the impact was. In a new ransom note, the attackers claim to have compromised more than 1 million computers and are demanding $ 70 million to decrypt the affected devices.
Kaseya’s software is used by managed service providers to remotely perform IT tasks, but on July 2, the Russia-affiliated REvil ransomware group rolled out a malicious software update that prevents providers using the platform and expose their customers.
The Dutch Vulnerability Disclosure Institute (DIVD) uncovered that it appears that the exploit used for the breach was the same one they discovered, and were about to tackle when the attackers struck. “We have already done a thorough investigation of the backup and system management tools and their vulnerabilities,” wrote DIVD. “One of the products we looked at is Kaseya VSA. We discovered serious security gaps in Kaseya VSA and reported them to Kaseya, with whom we have been in regular contact since then. ”
On Friday, Kaseya CEO Fred Vocolla said, “Only a very small percentage of our customers have been affected – it is currently estimated to be less than 40 worldwide.” Ross McKerchar, Vice President of Sophos, said in a statement on Sunday: “This is one the most far-reaching criminal ransomware attacks Sophos has ever seen. At this point, our evidence shows that more than 70 managed service providers were affected, resulting in more than 350 additional organizations affected. We assume that the total number of victims’ organizations is higher than what is reported by any individual security company. “
Building on earlier comments by President Biden, Deputy National Cyber and New Technology Security Advisor Anne Neuberger said: “The FBI and CISA will reach out to identified victims for assistance based on a national risk assessment. “
Huntress Labs is participating in the attack response and has cataloged most of the information available, said the attack compromised over 1,000 companies that it is tracking.
Referring to this post (above) on REvil’s “Happy Blog”, Sophos, Huntress and others claimed that more than a million devices were infected and demanded a ransom of $ 70 million in Bitcoin to unlock them all. REvil has been linked to a number of ransomware incidents, including an attack targeting Kaseya inya June 2019, and a high profile incident earlier this year that targeted meat supplier JBS. Security researcher Marcus Hutchins expressed skepticism over the group’s claim suggesting they are overstating the impact in hopes of getting a big payoff from Kaseya or someone else
One of the companies hardest hit by the attack so far is Coop, a line of over 800 grocery stores in Sweden that closed on Saturday when the attack closed their checkouts. According to a Notice on his website, Shops where customers can shop with the Coop Scan & Pay app have reopened, other locations will remain closed. Experts have predicted that when workers return to offices in the US on Tuesday, more victims may be discovered.
Kaseya’s SaaS cloud servers remain offline for three days after the attack. The Company says It will provide an updated server recovery schedule and other technical details of the attack tonight to aid recovery efforts from customers and security researchers.
#Kaseya #ransomware #attackers #charging #million #claiming #infected #million #devices