Dozens of small law firms and dental clinics are grappling with ransomware infections while 800 Coop supermarket chains in Sweden had to close temporarily because they could not open their cash registers.
Kaseya hasn’t said whether it is considering paying the ransom, but ZDNet reported that the company did missed a July 6th deadline They use to restart SaaS servers. It planned subsequent configuration changes to improve security, including an on-site patch.
According to a statement from Kaseya, “an issue blocking publication” has been discovered in the VSA SaaS rollout. “The R&D and operations teams have worked through the night and will continue to work until we clear the release,” Kaseya said in a statement, adding that she is “working around the clock to resolve this issue and get service back.” .
Operators with REvil originally asked for $ 70 million for decryption keys, but CNBC reported private negotiators say the group is ready cut their claims to $ 50 million, despite the unchanged image at the leak point.
“It’s just a business. We absolutely don’t care about you or your business, other than benefits. If we don’t do our job and our liabilities, no one will fail to work with us, ”the ransomware group said in a message on its website.
“It’s not in our interest. If you don’t cooperate with our service – it doesn’t matter to us. But you lose your time and data because only we have the private key. In practice, time is much more” more valuable than money . “
In two of the most recent high profile ransomware attacks Colonial pipeline and meat processors JBS, both companies paid millions in ransom to get their data and systems back online with varying degrees of success. Colonial Pipeline paid nearly $ 5 million to DarkSide operators, while JBS paid $ 11 million in bitcoin to REvil, the same group that was behind the Kaseya attack.
While the official government response is that business never pay ransomRep. Eric Swalwell told ZDNet that he believes situations like these are the reason “Congress, in collaboration with the White House and law enforcement agencies, must take a coordinated approach to consider issues like these.”
“We can not wait anymore. Every light on the dashboard flashes. Ransomware attacks are becoming more common and threaten to paralyze entire sectors of the US economy, ”said Swalwell.
“These attacks threaten both the economy and national security. Businesses are outperformed and criminal organizations hold them hostage. Ransomware is a threat to any person, company, or organization that relies on computers.”
Many cybersecurity experts told Kaseya not to pay the ransom for a variety of reasons. Some said there was no evidence that the decryption keys would work, while others said the payment would only confirm the gang’s decision to launch such a widespread attack.
Mat Gangwer, vice president of Sophos Managed Threat Response, said he was unaware of any examples of REvil’s decryptor not working and that there was no incentive for them to provide an unusable decryptor.
“REvil was quite proud of what they put together and doesn’t want to risk this,” he said.
Bryson Bort, CEO of SCYTHE, said the type of ransom REvil was demanding was unprecedented. Bort said he thought it was “not up to Kaseya to pay the $ 70 million” and that they would have to “collect money from the parties concerned for a combined payment.”
“I’ve never realized anything like that. Nobody knows what this process would look like – they individually contribute to the same wallet and just trust? ”Asked Bort.
Ross McKerchar, vice president and CISO of Sophos, said that regardless of whether the decryption keys are provided, the recovery effort will still be significant.
“Affected organizations initially use MSPs because of limited IT resources, and these MSPs are inundated with requests for support, backup restores, and more, and the very tool that MSPs use to access customer environments to resolve issues in this area fix situation is offline, “stated McKerchar.
John McClurg, CISO of BlackBerry, told ZDNet that there is no golden rule for dealing with ransomware attacks. While paying ransom is publicly discouraged, there are many instances where there may be no other way to recover.
The financial impact of failed systems, reputational damage, and the potential for permanent data loss can be catastrophic for many organizations, McClurg said.
David White, president of Axio, said Kaseya should instead reimburse individual companies for all related impacts related to the attack, including any ransom payments that individual companies can make. He argued that this would benefit the people who were injured rather than the people behind the attack.
It can also cost far less than the $ 70 million or $ 50 million ransom, according to White, considering that some companies could recover on their own. White added that in the recent case of JBSwho have favourited decryption keys worked after paying a ransom, but he cited analysis from Coveware which showed that REvil sometimes demands a second payment and sometimes releases data that has been promised to destroy.
CYE CEO Reuven Aronashvili also noted that paying ransom money blacklisted companies from ransomware gangs who know which companies are willing to pay in the event of an attack.
Aronashvili also denied White’s assessment of the cost of the restoration, stating that $ 70 million “is definitely less than the cumulative costs of the various organizations.” Still, he suggested to Kaseya not to pay the ransom.
Allan Liska, a ransomware expert and a member of the Computer Security Incident Response Team at Recorded Future, stated that any ransom paid to REvil will likely be used to buy another zero day exploit.
But he said while Kaseya is feeling the heat for this fiasco, more pressure could be put on REvil members, as evidenced by their willingness to cut their ransom demand from $ 70 million to $ 50 million.
“This is a big mess for them that they don’t want. They still have a limited staff and we already know REvil is behind in processing negotiations and posting on their extortion sites. They only publish data on their extortion pages from attacks that took place in early June, “said Liska.
“You are already overwhelmed by the number of attacks you have made. Imagine 1,500 victims go to your chat services and try to figure out what the ransom is and all that other stuff. It’s a mess for them. And you now have the attention of all these different world governments. “
The audacity of the attack has not gone unnoticed by world leaders, who will now devote significant resources to bringing down the group, Liska said, adding that because of hubris, the people behind REvil want this disappears asap, but they can’t just hand out decryption keys.
REvil operators also have to grapple with the fact that some MSPs may start helping clients recover, which affects the group’s ability to benefit from the attack.
“So you’re going to get terribly bad press and make very little money. This started out as a very sophisticated operation. You have a zero-day vulnerability that is where a zero-day exploit is pushed through MSPs to weigh it down. And then everything looks like a cracker jack operation, “said Liska.
“It all looks like an amateur lesson, so you may have to do something else to save face because while the front section looks very effective, the aftermath looks like a complete disaster to you.”
For Kaseya, Liska said that paying the ransom would only make the problems they face worse. In his experience, the decryptor issued to REvil victims was lackluster and difficult to use.
“In addition to the ransom cost, they would have to pay Mandiant to write a real decryptor that they could distribute to the MSPs who could then distribute it to their customers. Many of the clients that are hardest hit are law firms that have maybe 10 or 15 employees. They don’t have the infrastructure to recover from something like this, so they rely on their MSP to do it, “he said.
“But at the same time you’d give a lot of money to a bad actor who showed that he was going to use that money to do worse things.”
None of the MSPs paid ransom, but Liska said he heard reports from other researchers saying that some of the end victims paid.
But overall, Liska told ZDNet that he believes most people would understand if Kaseya opted not to pay the ransom, even if it did help a lot of people. Unlike other attacks, victims could be absent for about a week or more, Liska added.
“A lot will depend on how much access the MSPs have to backups and other things that can help with recovery,” Liska said. “It looks like Kaseya is ready to release the patch in the next few days, and when that happens then all MSPs will be able to get their VSA back online and really assess what the damage is . “
#Kaseya #REvil #Pay #Ransom #Experts #torn #ZDNet