After a huge 4th of July weekend ransomware attack using American software company Kaseya’s remote IT software, notorious Russian REvil ransomware gang has taken credit and demanded $70 million in Bitcoin.
This attack has potentially hit over a million systems for businesses across the globe, including an entire grocery store chain in Sweden. Let’s explore what happened, but before we go anywhere, make sure you turn on Windows 10’s secret anti-ransomware feature.
What happened during the 4th of July weekend?
Crashing the holiday weekend celebrations, hackers used remote IT management software platform Kaseya to stage a mass ransomware attack that has affected as many as 200 companies, according to a report from Bleeping Computer.
Kaseya has administrator access across systems by design as a managed service provider, to deliver its remote management. Because of this, an auto-update on Friday, July 2 delivered REvil ransomware to affected systems.
This attack was super effective because, as a Gartner analyst told The Guardian, this unique combination of supply chain attacks (sneaking malicious code into trusted software) and ransomware maximizes the damage made to a centrally-managed system such as Kaseya’s.
All files are encrypted by the attack and a $44,999 demand was made to unlock them. Kaseya jumped into action by strongly imploring customers to turn off their virtual system/server administrator (VSA) servers for the time being, so the attacker is not able to “shut off administrative access to the VSA.”
On Saturday, July 3, the impact of this attack was felt worldwide, as Bloomberg reported more than 1,000 businesses may have been affected. This even included 800 branches of the grocery chain Coop in Sweden, which were unable to open because cash registers were not working.
REvil Kaseya ransomware attack: The ransom demand
Following this, two big things happened. First of all, President Biden directed U.S. intelligence agencies to investigate this ransomware attack surrounding suspicions of the involvement of the Russia-linked REvil gang.
This suspicion was confirmed, as the gang officially took credit for the attack and demanded $70 million in Bitcoin for the universal decryptor in a dark web blog. Reported by The Record, no comment has been made on whether Kaseya will pay the ransom and the hackers are claiming that “more than a million” systems were affected.
In the meantime, if you are an affected user, Kaseya is updating this incident report every four hours.