Kaseya Hackers Demand $70 Million Ransom

HSBC, security, hacking

Number of organisations affected by damaging Kaseya ransomware attack grows from just 50, to roughly 1,500 businesses globally

The fallout from the devastating supply chain attack that targetted software from Miami-based Kaseya, continues to grow.

Security firms Sophos, Huntress and others pointed to a post (click here) on REvil’s “Happy Blog,” that claims that more than a million devices have been infected. The blog also reveals that REvil is asking for $70 million in Bitcoin to unlock all of them.

On Monday US President Joe Biden ordered US intelligence agencies to investigate the sophisticated attack, due to suspected Russian involvement.

Kaseya VSA hack

The hackers essentially hijacked a tool called VSA, which is used by companies that manage technology at smaller businesses, then encrypted the files of those customers.

The hackers attack on Kaseya was so far reaching that in Sweden for example, most of the grocery chain Coop’s 800 stores were unable to open because cash registers weren’t working.

State railways and a major pharmacy chain were also affected.

The CEO of Kaseya, Fred Voccola, on Friday just before the fourth of July weekend in the United States, said the firm estimated that only 50 or so businesses had been impacted by the REvil attack.

But on Monday Voccola has admitted that the numbers of customers impacted by the attack is actually much, much higher, with up to 1,500 organisations affected.

Quick response

“Kaseya…responded quickly to a ransomware attack on its VSA customers launched over the Fourth of July holiday weekend,” the firm announced in a statement on Monday.

“The company’s rapid remediation and mitigation measures saved thousands of small and medium-sized businesses from suffering devastating impacts to their operations and ensured business continuity,” it added.

It said that on 2 July at approximately 2pm EST, Kaseya was alerted to a potential attack by internal and external sources.

Within an hour, in an abundance of caution, Kaseya immediately shut down access to the software in question.

Kaseya said the attack had limited impact, with only approximately 50 of the more than 35,000 Kaseya customers being breached.

“While impacting approximately 50 of Kaseya’s customers, this attack was never a threat nor had any impact to critical infrastructure,” the firm said. “Many of Kaseya’s customers are managed service providers, using Kaseya’s technology to manage IT infrastructure for local and small businesses with less than 30 employees, such as dentists’ offices, small accounting offices and local restaurants. Of the approximately 800,000 to 1,000,000 local and small businesses that are managed by Kaseya’s customers, only about 800 to 1,500 have been compromised.”

Working feverishly

“Our global teams are working around the clock to get our customers back up and running,” said CEO Fred Voccola. “We understand that every second they are shut down, it impacts their livelihood, which is why we’re working feverishly to get this resolved.”

Kaseya is actively working with the FBI, CISA, Department of Homeland Security and the White House.

It is also working closely with FireEye Mandiant IR on the security incident.

“This is a collaborative effort to remediate the issue and identify the parties responsible so they may be held accountable,” added Voccola. “We are beyond grateful for their assistance getting our customers back online.”

“The immediate action-oriented and solution-based approach of CISA and the FBI, with tremendous overall support from the White House, has proven to be a huge help in ensuring that this attack led only to a very small number of impacted customers,” said Voccola. “While each and every customer impacted is one too many, the impact of this highly sophisticated attack has proven to be, thankfully, greatly overstated.”

Russian involvement?

REvil was the Russian gang blamed by the FBI last month for the ransomware attack on meat packer JBS.

And Western patience with Russia and its covert cyber activities is currently running very thin. As is patience with criminal gangs operating within Russian borders waging cyber attacks against Western nations.

Last week American and British cyber and intelligence agencies warned that Russian military hackers are targetting both the United States and Europe.

It should be remembered that US President Joe Biden and Russia’s President Vladimir Putin held a three hour face to face meeting in Geneva last month.

Biden and Putin spent much of that face-to-face meeting talking about cybersecurity issues, with Biden warning Putin of ‘retaliation’ if Russia attacks a list of 16 ‘critical’ facilities in America.

Soon after that, Russia’s Federal Security Service (FSB) head Alexander Bortnikov said that Russia would work together with the United States to locate cyber criminals.

Catastrophic damage

Meanwhile, security experts are warning that supply chain attacks such as this, is a cunning attack vector that can cause catastrophic damage.

“Combining a supply chain attack with ransomware is a lethal mix with powerful results,” said Jake Moore, cybersecurity specialist at ESET. “Both lines of attack are feared by those in charge of their networks but when fused together, the victims are multiplied and the money involved can be astronomical.”

“There will be huge initial pressures to restore the affected business networks but many will be forced to pay the demands simply because it remains the cheaper option,” said Moore.

“The supply chain attack is a cunning way to enter a network on the back of a third party’s prior trust and the damage has be shown to be catastrophic,” Moore added. “Although it may have taken the attackers more time and sophistication to inject the malicious code into the supplier’s software, once in, they can piggy back into every connected vendor’s software unnoticed and unscathed.”

“Fingers will be pointed and no doubt insurance calls will be made but this new wave of organised and tailored attacks is something we will have to come to expect in the future,” Moore warned.