Kaseya ransomware attackers demand $70 million, claim they infected over a million devices
Three days after ransomware attackers started the holiday weekend by compromising Kaseya VSA, we have a clearer idea of how widespread the impact has been.
In a new ransom demand, the attackers claim to have compromised more than 1 million computers, and demand $70 million to decrypt the affected devices.
Kaseya’s software is used by Managed Service Providers to perform IT tasks remotely, but on July 2nd, the Russia-linked REvil ransomware group deployed a malicious software update exposing providers who use the platform, and their clients.
The Dutch Institute for Vulnerability Disclosure (DIVD) revealed that it appears the exploit used for the breach was same one they discovered and were in the process of addressing when the attackers struck. “We were already running a broad investigation into backup and system administration tooling and their vulnerabilities,” DIVD wrote. “One of the products we have been investigating is Kaseya VSA. We discovered severe vulnerabilities in Kaseya VSA and reported them to Kaseya, with whom we have been in regular contact since then.”
On Friday, Kaseya CEO Fred Vocolla said that “Only a very small percentage of our customers were affected – currently estimated at fewer than 40 worldwide.” Sophos VP Ross McKerchar said in a statement Sunday that “This is one of the farthest reaching criminal ransomware attacks that Sophos has ever seen. At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company.”
Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger followed up on earlier comments by President Biden, saying
“The FBI and CISA will reach out to identified victims to provide assistance based upon an assessment of national risk.”. 
Huntress Labs is participating in the response to the attack and has cataloged most of the available information, saying the attack compromised over 1,000 businesses that it’s tracking.
> Sophos, Huntress and others pointed to this post (above) on REvil’s “Happy Blog,” claiming that more than a million devices have been infected and setting a ransom demand of $70 million in Bitcoin to unlock all of them.
REvil has been linked to a slew of ransomware incidents, including one attack involving Kaseya in June 2019, and a high-profile incident earlier this year targeting the meat supplier JBS. However, security researcher Marcus Hutchins expressed skepticism about the group’s claim, suggesting they’re overstating the impact in hopes of extracting a large payout from Kaseya or someone else . . ."
=========================================================================
Dutch researchers said they alerted Miami-based Kaseya to the breach and said the criminals used a “zero day,” the industry term for a previous unknown security hole in software. Voccola would not confirm that or offer details of the breach — except to say that it was not phishing.
“The level of sophistication here was extraordinary,” he said
Victims > Most ransomware victims don’t publicly report attacks or disclose if they’ve paid ransoms.
Scale, details of massive ransomware attack emerge
An affiliate of the notorious REvil gang infected thousands of victims in at least 17 countries.
The FBI said in a statement Sunday that it was investigating the attack. | Jose Luis Magana/AP Photo
BOSTON — Cybersecurity teams worked feverishly Sunday to stem the impact of the single biggest global ransomware attack on record, with some details emerging about how the Russia-linked gang responsible breached the company whose software was the conduit.
An affiliate of the notorious REvil gang, best known for extorting $11 million from the meat-processor JBS after a Memorial Day attack, infected thousands of victims in at least 17 countries on Friday, largely through firms that remotely manage IT infrastructure for multiple customers, cybersecurity researchers said. They reported ransom demands of up to $5 million.
> The FBI said in a statement Sunday that it was investigating the attack along with the federal Cybersecurity and Infrastructure Security Agency, though “the scale of this incident may make it so that we are unable to respond to each victim individually.”
> The attack comes less than a month after Biden pressed Russian President Vladimir Putin to stop providing safe haven to REvil and other ransomware gangs whose unrelenting extortionary attacks the U.S. deems a national security threat.
> A broad array of businesses and public agencies were hit by the latest attack, apparently on all continents, including in financial services, travel and leisure and the public sector — though few large companies, the cybersecurity firm Sophos reported. Ransomware criminals break into networks and sow malware that cripples networks on activation by scrambling all their data. Victims get a decoder key when they pay up.
> John Hammond of Huntress Labs, one of the first cybersecurity firms to sound the alarm on the attack, said he’d seen $5 million and $500,000 demands by REVil for the decryptor key needed to unlock scrambled networks. The smallest amount demanded appears to have been $45,000.
> Sophisticated ransomware gangs on REvil’s level usually examine a victim’s financial records — and insurance policies if they can find them — from files they steal before activating the data-scrambling malware. The criminals then threaten to dump the stolen data online unless paid. It was not immediately clear if this attack involved data theft, however. The infection mechanism suggests it did not.
