Scale, details of massive Kaseya ransomware attack emerge – WSVN 7News | Miami News, Weather, Sports
BOSTON (AP) – Cyber security teams worked feverishly on Sunday to contain the effects of the largest global ransomware attack ever, with some details being revealed about how the Russian-affiliated gang broke through the company whose software was the channel.
A member of the infamous REvil gang, best known for extorting $ 11 million from meat processor JBS after an attack on Memorial Day, infected thousands of victims in at least 17 countries on Friday, mostly through companies that operate IT – Manage infrastructure for multiple customers remotely. Cyber security researchers said. They reported ransom demands of up to $ 5 million.
The FBI said in a statement on Sunday that it is investigating the attack with the federal cybersecurity and infrastructure security agency, although “the scale of this incident may make it impossible for us to respond to each victim individually” .
President Joe Biden suggested on Saturday that the US would react if the Kremlin was found to be involved at all. He said he had asked the secret service for “deep insight” into what was happening.
The attack comes less than a month after Biden urged Russian President Vladimir Putin not to provide a safe haven to REvil and other ransomware gangs whose relentless extortionate attacks the US see as a threat to national security.
A wide range of businesses and government agencies have been hit by the latest attack, apparently on every continent, including financial services, travel and leisure, and the public sector – albeit a few large corporations, cybersecurity firm Sophos reported. Ransomware criminals break into networks and sow malware that, when activated, cripples networks by encrypting all of their data. Victims receive a decoder key when they pay.
Swedish grocery chain Coop said most of its 800 stores would be closed for a second day on Sunday because their cash register software provider was paralyzed. A Swedish pharmacy chain, petrol station chain, the state railway and the public broadcaster SVT were also hit.
In Germany, an unnamed IT service provider informed the authorities that several thousand of its customers had been compromised, the news agency dpa reported. The reported victims also included two large Dutch IT service companies – VelzArt and Hoppenbrouwer Techniek. Most ransomware victims do not publicly report attacks or reveal whether or not they have paid a ransom.
Fred Voccola, CEO of the hacked software company Kaseya, estimated the number of victims at a few thousand, mostly small businesses such as “dental offices, architecture firms, plastic surgery centers, libraries, etc.”
Voccola said in an interview that only between 50-60 of the company’s 37,000 customers were compromised. But 70% were managed service providers using the company’s hacked VSA software to manage multiple customers. It automates the installation of software and security updates and manages backups and other important tasks.
Experts say it was no coincidence that REvil launched the attack at the beginning of the July 4th holiday weekend, knowing the U.S. offices would be sparsely manned. Many victims may not find out about this until they get back to work on Monday. Most of the end customers of managed service providers have “no idea” which software is used to keep their networks running, said Voccola.
Kaseya said it sent a detection tool to nearly 900 customers on Saturday night.
John Hammond of Huntress Labs, one of the first cybersecurity companies to sound the alarm in the attack, said he had asked REVil for $ 5 million and $ 500,000 to decrypt the decryption key needed to unlock encrypted networks . The smallest amount claimed was said to have been $ 45,000.
Sophisticated REvil-level ransomware gangs usually examine a victim’s financial records – and insurance policies if they can find them – from files they steal before activating the data-encrypting malware. The criminals then threaten to dispose of the stolen data online if it is not paid for. However, it was not immediately clear whether this attack was a data theft. The mechanism of infection suggests that it was not.
“Theft of data typically takes time and effort on the part of the attacker, which is unlikely to be possible in an attack scenario like this with so many small and medium-sized victim organizations,” said Ross McKerchar, chief information security officer at Sophos. “We haven’t seen any evidence of data theft, but it’s early days and time will tell if the attackers will use this card to get victims to pay.”
Dutch researchers said they alerted Miami-based Kaseya to the breach and said the criminals used a “zero day,” the industry term for a previously unknown vulnerability in software. Voccola would neither confirm nor provide details of the violation – except to say that it was not phishing.
“The level of sophistication here has been exceptional,” he said.
When cybersecurity firm Mandiant finishes its investigation, Voccola is confident it will show that the criminals not only breached the Kaseya Code by breaking into its network, but also exploited vulnerabilities in third-party software.
It wasn’t the first ransomware attack to exploit managed service providers. In 2019, criminals hindered the networks of 22 Texan communities through a. In the same year, 400 U.S. dental practices were paralyzed in a separate attack.
One of the Dutch vulnerability researchers, Victor Gevers, said his team is concerned about products like Kaseya’s VSA because they have complete control over the huge computing resources they can offer. “More and more products with which networks are supposed to be secure and protected have structural weaknesses,” he wrote on a blog on Sunday.
Cyber security company ESET identified victims in at least 17 countries including the UK, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand and Kenya.
According to Kaseya, the attack only affected “on-premise” customers, i.e. companies that operate their own data centers, as opposed to its cloud-based services that run software for customers. However, it shut down these servers as a precautionary measure.
Kaseya, who asked customers on Friday to shut down their VSA servers immediately, said on Sunday they hope to have a patch in the next few days.
REvil has been active since April 2019 and offers ransomware-as-a-service, i.e. it develops the network-crippling software and rents it to so-called affiliates who infect targets and earn the lion’s share of the ransom. US officials say the most powerful ransomware gangs are based in Russia and allied states, and operate with the tolerance of the Kremlin and sometimes collaborate with Russian security services.
Cybersecurity expert Dmitri Alperovitch of the Silverado Policy Accelerator think tank said that while he doesn’t believe Kaseya’s attack is being led by the Kremlin, it shows that Putin “has not done anything” to shut down cyber criminals.
Copyright 2021 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.