BOSTON (AP) – Cyber ââsecurity teams worked feverishly on Sunday to contain the effects of the largest global ransomware attack of all time, with some details being revealed about how the gang affiliated with Russia broke through the company whose software was the channel.
A member of the infamous REvil gang, best known for extorting $ 11 million from meat processor JBS after an attack on Memorial Day, infected thousands of victims in at least 17 countries on Friday, mostly through companies that operate IT – Remotely manage infrastructure for multiple customers. Cyber ââsecurity researchers said. They reported ransom demands of up to $ 5 million.
The FBI said in a statement Sunday that it is investigating the attack with the federal cybersecurity and infrastructure security agency, although “the scale of this incident may make it impossible for us to respond to each victim individually” . Assistant National Security Advisor Anne Neuberger later issued a statement saying President Joe Biden had “directed all government resources to investigate this incident,” and urged anyone who believed they had been compromised to turn to the FBI alert.
Biden suggested on Saturday that the US would react if the Kremlin is found to be involved at all.
The attack comes less than a month after Biden urged Russian President Vladimir Putin not to provide a safe haven to REvil and other ransomware gangs whose relentless extortionate attacks the US see as a threat to national security.
A wide range of businesses and government agencies across all continents, including financial services, travel and leisure, and the public sector – albeit a few large corporations – reported cybersecurity firm Sophos, appeared to have been hit by the latest attack. Ransomware criminals break into networks and sow malware that, when activated, cripples networks by encrypting all of their data. Victims receive a decoder key when they pay.
Swedish grocery chain Coop said most of its 800 stores would be closed for a second day on Sunday because their cash register software provider was paralyzed. A Swedish pharmacy chain, petrol station chain, the state railway and the public broadcaster SVT were also hit.
In Germany, an unnamed IT service provider informed the authorities that several thousand of its customers had been compromised, the news agency dpa reported. The reported victims also included two large Dutch IT service companies – VelzArt and Hoppenbrouwer Techniek. Most ransomware victims do not publicly report attacks or reveal whether or not they have paid a ransom.
Fred Voccola, CEO of the hacked software company Kaseya, estimated the number of victims to be a few thousand, mostly small businesses such as “dental practices, architecture firms, plastic surgery centers, libraries and the like”.
Voccola said in an interview that only between 50-60 of the company’s 37,000 customers have been compromised. But 70% were managed service providers using the company’s hacked VSA software to manage multiple customers. It automates the installation of software and security updates and manages backups and other important tasks.
Experts say it was no coincidence that REvil launched the attack at the beginning of the July 4th holiday weekend, knowing the U.S. offices would be sparsely manned. Many victims may not find out about this until they get back to work on Monday. Most of the end customers of managed service providers have âno ideaâ what software is used to keep their networks running, said Voccola.
Kaseya said it sent a detection tool to nearly 900 customers on Saturday night.
John Hammond of Huntress Labs, one of the first cybersecurity companies to sound the alarm in the attack, said he had asked REVil for $ 5 million and $ 500,000 to decrypt the decryption key needed to unlock encrypted networks . The smallest amount claimed was said to have been $ 45,000.
Sophisticated REvil-level ransomware gangs usually examine a victim’s financial records – and insurance policies if they can find them – from files they steal before activating the data-encrypting malware. The criminals then threaten to dispose of the stolen data online if it is not paid for. However, it was not immediately clear whether this attack was a data theft. The mechanism of infection suggests that it was not.
âData theft typically takes time and effort on the part of the attacker, which is unlikely to be possible in an attack scenario like this with so many small and medium-sized victim organizations,â said Ross McKerchar, chief information security officer at Sophos. “We haven’t seen any evidence of data theft, but it’s early days and time will tell if the attackers will use this card to get victims to pay.”
Dutch researchers said they brought the breach to the attention of Miami-based Kaseya, saying the criminals used a “zero day,” the industry term for a previously unknown vulnerability in software. Voccola would neither confirm nor provide details of the violation – except to say that it was not phishing.
“The level of sophistication here has been exceptional,” he said.
When cybersecurity firm Mandiant finishes its investigation, Voccola is confident it will show that the criminals not only breached the Kaseya Code by breaking into its network, but also exploited vulnerabilities in third-party software.
It wasn’t the first ransomware attack to exploit managed service providers. In 2019, criminals hindered the networks of 22 Texan communities through a. In the same year, 400 U.S. dental practices were paralyzed in a separate attack.
One of the Dutch vulnerability researchers, Victor Gevers, said his team is concerned about products like Kaseya’s VSA because they have complete control over the huge computing resources that they can offer. “More and more products with which networks are supposed to be secure and protected have structural weaknesses,” he wrote on a blog on Sunday.
Cyber ââsecurity company ESET identified victims in at least 17 countries including the UK, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand and Kenya.
According to Kaseya, the attack only affected âon-premiseâ customers, i.e. companies that operate their own data centers, as opposed to its cloud-based services that run software for customers. However, it shut down these servers as a precaution.
Kaseya, who asked customers on Friday to shut down their VSA servers immediately, said on Sunday they hope to have a patch in the next few days.
REvil has been active since April 2019 and offers ransomware-as-a-service, i.e. it develops the network-crippling software and rents it to so-called affiliates who infect targets and earn the lion’s share of the ransom. US officials say the most powerful ransomware gangs are based in Russia and allied states, and operate with the tolerance of the Kremlin and sometimes collaborate with Russian security services.
Cybersecurity expert Dmitri Alperovitch of the think tank Silverado Policy Accelerator said that while he doesn’t believe Kaseya’s attack is being led by the Kremlin, it shows that Putin âhas not yet movedâ to shut down cybercriminals.
The AP reporters Eric Tucker in Washington, Kirsten Grieshaber in Berlin, Jari Tanner in Helsinki and Sylvie Corbet in Paris contributed to this report.