More details have emerged about a ransomware attack linked to suspected Russian criminals who targeted a U.S. software company with tens of thousands of customers around the world.
Security experts on July 5 continued to assess the extent of damage of the attack, which has been claimed by hackers associated with the REvil gang, a major Russian-speaking ransomware syndicate. The cybercriminals have demanded $70 million in bitcoin in exchange for a decryption tool to free the data of companies targeted, but also indicated they were willing to negotiate. Between 800 and 1,500 businesses around the world have been affected, the head of the company whose software is at the center of the attack said on July 5. Fred Voccola, CEO of Kaseya, said in an interview with Reuters that it was hard to estimate the precise impact because the companies and organizations hit were mainly customers of Kaseya's customers. Cybersecurity experts said they believe the number of victims could be in the thousands in at least 17 countries. That would make the attack the largest ransomware attack ever carried out. The disruption has been especially severe in Sweden, where hundreds of supermarkets belonging to the Coop chain had to close because their cash registers were inoperative. A Swedish pharmacy chain, gas station chain, the state railway, and public broadcaster SVT were also hit. Germany's federal cybersecurity watchdog said an unidentified IT service provider that looks after several thousand customers had been hit. Two big Dutch IT services companies also were among the targets, and in New Zealand, schools and kindergartens were knocked offline. Kaseya provides software tools to IT outsourcing companies that typically handle back-office work for businesses too small to have their own IT departments. One of those tools was breached on July 2, allowing the hackers to encrypt the victims’ data, making it inoperable until a ransom is paid. The hackers who claimed responsibility for the breach and demanded the $70 million ransom to restore all the affected businesses' data have indicated a willingness to negotiate, according to Reuters. The news agency said it communicated with a representative of the group in a chat interface on the hackers' website. The representative declined to be identified by name. Voccola refused to say whether he would negotiate. "I can't comment 'yes,' 'no,' or 'maybe'," he told Reuters when asked whether his company would talk to or pay the hackers. "No comment on anything to do with negotiating with terrorists in any way." Voccola said he had spoken to officials at the White House, the FBI, and the Department of Homeland Security about the breach. He added that he was not aware of any nationally important business being affected. Cybersecurity experts had said earlier that REvil appears to be behind the attack, which they noted was strategically launched at the start of the U.S. Independence Day holiday weekend. The FBI believes that REvil was behind a ransomware attack in May on meat-processing giant JBS. The Brazil-based company ended up paying $11 million in bitcoin to the hackers.
Another high-profile ransomware attacks in May targeted Colonial Pipeline, which temporarily closed the largest U.S. gas pipeline. U.S. law enforcement authorities said they recovered most of the ransom paid to another criminal group, DarkSide, in the pipeline case.
In June, U.S. President Joe Biden pressed Russian President Vladimir Putin during their summit in Geneva about ransomware gangs allegedly operating with impunity in Russia. Biden said he also told Putin that the United States would respond if an investigation determines that the Russian government is behind an attack. Putin spokesman Dmitry Peskov on July 5 said the United States had not asked the Kremlin about the ransomware attack involving Kaseya. He suggested it could be discussed during U.S.-Russian consultations on cybersecurity issues that Putin and Biden agreed to hold. No date has been set for those consultations.