Russian hackers REvil claim to have infected a MILLION firms in massive cyber attack & demand $70M ransom in Bitcoin
RUSSIAN hackers REvil have demanded a $70 million ransom in Bitcoin for a decryption key, after a cyberattack that targeted 1,000 US firms.
The breach, which is the largest ransomware attack on record, has reportedly hit the IT systems of up to 1 million companies across the globe, by breaching the systems of US-based software firm Kaseya.
Those affected included a school in New Zealand and Swedish grocery chain Coop. as well as two major Dutch IT firms.
Meanwhile, the hackers suspected to be behind the mass extortion attack late on Sunday demanded $70 million to restore the data they are holding ransom - according to a posting on a dark web site.
The hackers reportedly later lowered their demands, asking for $50 million rather than the original $70m.
The group said: "We launched an attack on MSP providers. More than a million systems were infected.
"If anyone wants to negotiate about universal decryptor - our price is 70 000 000$ in BTC and we will publish publicly decryptor."
The demand was posted on a blog typically used by the REvil cybercrime gang - a group with links to Russia, that is considered to be among the cybercriminal world’s most prolific extortionists.
The structure of the gang makes it occasionally difficult to determine who speaks on the hackers’ behalf.
However, Allan Liska of cybersecurity firm Recorded Future told Reuters the message “almost certainly” came from REvil’s core leadership.
The attack, which happened on Friday, was among the most dramatic hacks ever seen, among a series of increasingly attention-grabbing moves from cyberhackers.
US President Joe Biden was on Saturday branded “weak” against Vladimir Putin, after hundreds of US companies were hit by the breach.
House Minority Leader Kevin McCarthy tweeted on the weekend: "Remember when President Biden gave Putin a list of things that were supposed to be off-limits for cyber attacks? What he SHOULD have said is that ALL American targets are off-limits."
The Republican added: "Biden is soft on crime and weak against Putin."
Biden had said the intel community is "unsure if Russia is to blame" for the ransomware attack.
"We’re not sure it’s the Russians. I directed the intelligence community to give me a deep dive on what's happened, and I'll know better tomorrow," the president said.
But he did warn: "If it is either with the knowledge of and/or a consequence of Russia, then I told Putin we will respond."
John Hammond, of the security firm Huntress Labs, said REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack.
Labeling it "a colossal and devastating supply chain attack," Hammond said the criminals targeted a software supplier called Kaseya.
They then used its network-management package to spread the ransomware through cloud-service providers, Hammond said.
Other researchers agree with that assessment.
James Shank, of threat intelligence firm Team Cymru, said "it’s reasonable to think that the timing was planned” to coincide with the Fourth of July.
At least 200 companies were initially thought to be paralyzed on Friday, according to a cybersecurity researcher whose company was responding to the incident.
Later reports put that figure closer to the 1,000 mark, with a map showing the spread of the intrusion still coming into focus.
Who are REvil?
REvil is a Russian-speaking hacking gang, which emerged in 2019.
The group is said to earn more than $100 million a year.
The group, which is also known as Sodinokobi, is known to target huge global companies, and demands to be paid in Bitcoin.
REvil has a page on the dark web called Happy Blog, where it has previously leaked sensitive information from the companies it targets.
There is no evidence that the group has links to Russsian officials.
The disruption spilled into the public domain when Swedish Coop grocery store chain was forced to close hundreds of stores on Saturday - when its cash registers had been knocked offline as a consequence of the attack.
Those hit included schools, small public-sector bodies, travel and leisure organisations, as well as credit unions and accountants.
However, Allan Liska believed the hackers may have bitten off more than they could chew by scrambling the data of hundreds of companies at a time.
The huge $70 million demand was an effort to make the best of an awkward situation, he said.
The federal Cybersecurity and Infrastructure Security Agency said in a statement late Friday that it is closely monitoring the situation and working with the FBI to collect more information about its impact.
CISA urged anyone who might be affected to “follow Kaseya’s guidance to shut down VSA servers immediately.”
Kaseya runs what’s called a virtual system administrator, or VSA, that’s used to remotely manage and monitor a customer’s network.
Biden last month said he had given Putin a list of 16 American entities that are "off-limits."
Speaking with reporters, he said: "I talked about the proposition that certain critical infrastructure should be off-limits to attack – period – by cyber or any other means.
"I gave them a list – 16 specific entities; 16 defined as critical infrastructure under US policy, from the energy sector to our water systems."
That came following two cyberattacks on Colonial Pipeline and meat-processer JBS Holdings.
Both companies reportedly paid millions of dollars in ransoms to regain access to their systems, Fox News reports.
Active since April 2019, the group known as REvil provides ransomware-as-a-service.
Most read in News
That means it develops network-paralyzing software and leases it out to those who infect targets and earn the lion’s share of ransoms.
Read More on The US Sun
REvil is among ransomware gangs that steal data from targets before activating the ransomware, strengthening their extortion efforts.
The average ransom payment to the group was about half a million dollars last year, said the Palo Alto Networks cybersecurity firm in a recent report.
