Wed, December 01, 2021

international

Hackers demand $70 million to unlock businesses hit by sprawling ransomware attack


A hacking group that experts said was behind the sprawling ransomware attack that hit hours before the beginning of the July Fourth holiday weekend is demanding $70 million to unlock the thousands of businesses affected by the hack.

REvil, the same Russian language group that was behind the attack on meat processor JBS, posted the demand on a dark website associated with the group.

The group wants the funds in bitcoin, a popular cryptocurrency, and said if it receives the money it will publish a "decryptor key," or a computer code that will unlock the victims' files.

The massive attack was carried out through software that helps businesses manage their computer systems, made by Miami-based firm Kaseya. Kaseya sells its tool to many large managed service providers, who in turn help small and midsize businesses monitor and control their computer networks.

Kaseya admitted this weekend it had been a victim of a "sophisticated cyberattack." In an interview with the Associated Press, Kaseya CEO Fred Voccola estimated the number of affected companies to be in the low thousands, made up almost entirely of small businesses.

Already, the ransomware attack has temporarily shut down hundreds of Coop Sweden grocery stores because the cash registers were locked up. In New Zealand, nine schools were affected in some ways, forcing some students to shut down their computers, according to the New Zealand Herald. ESET Research said on Twitter it had identified victims in 17 countries so far.

The full scope of the attack likely won't be known for quite some time - especially as many workers are still off for the holiday weekend in the United States. Researchers say hackers often plan their attacks for holidays to take advantage of fewer eyes on computer systems.

REvil's request for a joint ransom is likely an acknowledgment that the hacking group wants to end the attack quickly, said Allan Liska, a researcher with the cybersecurity firm Recorded Future.

"To me that's a sign that they realize that this is a bigger problem than they originally thought," Liska said. "But I think behind the scenes, this is a lot more than they probably anticipated."

The FBI said it is investigating the attack, and encouraged victims to report the effects to the agency.

"Due to the potential scale of this incident, the FBI and CISA may be unable to respond to each victim individually, but all information we receive will be useful in countering this threat," the agency wrote in a public notice Sunday.

Anne Neuberger, deputy national security adviser for cyber and emerging technology, said in a statement Sunday that President Joe Biden had "directed the full resources" of the government to investigate the attack.

The attack comes just weeks after Biden met with Russian President Vladimir Putin and discussed starting consultations on addressing cyber attacks. Biden said Saturday in comments to press that the initial thinking was that the Russian government was not involved, but that the government was still looking into it.

Kaseya said in one of its regular updates that it is working with companies to mitigate the attack.

"We are confident we understand the scope of the issue and are partnering with each client to do everything possible to remediate," the company wrote.

Ransomware attacks, which have been increasing in frequency and severity since late 2019, regularly use unsophisticated hacking methods to gain access to victims' systems. Commonly, cybercriminals will send "phishing" emails to try to trick unsuspecting employees into clicking on a link or attachments and inadvertently downloading malware onto the system.

But this case appears to be different. Dutch researchers said this weekend that they had earlier identified a vulnerability within code used by Kaseya. The researchers were working with the company to patch it, but hackers appear to have found and exploited it first.

"During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched," researcher Victor Gevers wrote in a blog post Sunday. "They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch."

Kaseya spokesperson Dana Liedholm confirmed in an email the company has been working with the researchers. The attack was the result of multiple vulnerabilities, including the one reported by the researchers, she said.

Published : July 06, 2021

By : The Washington Post · Rachel Lerman, Gerrit De Vynck