REvil (Ransomware Evil) is a private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the infomation on their page ‘Happy Blog’ unless the ransom is received. In a high-profile case, REvil attacked a supplier of the tech giant Apple and stole confidential diagrams of their upcoming products.
The REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind this new colossal cyber attack, said John Hammond of the security firm Huntress Labs. He said the criminals targeted a software supplier called Kaseya, using its network-management package as a conduit to spread the ransomware through cloud-service providers. The criminals are asking for a $70 million ransom in bitcoin to publish a public universal decryptor that will unlock all affected computers.
Kaseya Attack as New Colossal Cyber Attack
The Kaseya attack is what’s known as a software supply chain ransomware attack, in which a cyber-threat actor penetrates a software vendor’s network and sends malicious code to compromise the software before the vendor sends it out to its customers. The infected software then affects the customers’ data or systems. The hackers that targeted SolarWinds’ software used this type of attack to infiltrate major U.S. federal agencies and corporations.
It was not immediately clear how many Kaseya customers might be affected or who they might be. Kaseya insisted customers in a statement on its website to immediately shut down servers running the affected software. It said the attack was limited to a “small number” of its customers.
New Colossal Cyber Attack Similars SolarWinds
Brett Callow said, a ransomware expert at the cybersecurity firm Emsisoft, said he was unaware of any previous ransomware supply-chain attack on this scale. There have been others, but they were fairly minor. “This is SolarWinds with ransomware,” he said. He was referring to a Russian cyberespionage hacking campaign discovered in December that spread by infecting network management software to infiltrate U.S. federal agencies and scores of corporations.
Cybersecurity researcher Jake Williams, president of Rendition Infosec, said he was already working with six companies hit by the ransomware. It’s no accident that this happened before the Fourth of July weekend, when IT staffing is generally thin, he added.”There’s zero doubt in my mind that the timing here was intentional,” he said.
Three Huntress Partners
Hammond of Huntress said he was aware of four managed-services providers — companies that host IT infrastructure for multiple customers — being hit by the ransomware, which encrypts networks until the victims pay off attackers. He said thousands of computers were hit. “We currently have three Huntress partners who are impacted with roughly 200 businesses that have been encrypted,” Hammond said.
Hammond wrote on Twitter: “Based on everything we are seeing right now, we strongly believe this (is) REvil/Sodinikibi.” The FBI linked the same ransomware provider to a May attack on JBS SA, a major global meat processer.
Attack on Global Meat Processer
The federal Cybersecurity and Infrastructure Security Agency said in a statement late Friday that it is closely monitoring the situation and working with the FBI to collect more information about its impact. CISA urged anyone who might be affected to “follow Kaseya’s guidance to shut down VSA servers immediately.” Kaseya runs what’s called a virtual system administrator, or VSA, that’s used to remotely manage and monitor a customer’s network.
The privately held Kaseya says it is based in Dublin, Ireland, with a U.S. headquarters in Miami. The Miami Herald recently described it as “one of Miami’s oldest tech companies” in a report about its plans to hire as many as 500 workers by 2022 to staff a recently acquired cybersecurity platform.
REvil is among ransomware gangs that steal data from targets before activating the ransomware, strengthening their extortion efforts. The average ransom payment to the group was about half a million dollars last year, said the Palo Alto Networks cybersecurity firm in a recent report. Some cybersecurity experts predicted that it might be hard for the gang to handle the ransom negotiations, given a large number of victims, though the long U.S. holiday weekend might give it more time to start working through the list.