[ad_1]
Cybersecurity teams are working feverishly to stem the impact of the biggest ransomware attack on file, with some details emerging of how the Russian-linked gang behind him raped the company whose software was driving it.
An affiliate of the famous REvil gang, best known for extort $ 11 million from JBS meat processor after a Memorial Day attack, infected thousands of victims in at least 17 countries on Friday, mostly through companies that remotely manage multiple clients’ IT infrastructure, cybersecurity researchers said.
REvil was demanding ransoms of up to $ 5 million, the researchers said. But on Sunday night, he offered in a post on his dark website a universal decryption software key that would decrypt all affected machines in exchange for $ 70 million in cryptocurrency.
Earlier, the FBI said in a statement that while investigating the attack, its magnitude “may ensure that we cannot respond to each victim individually.” Deputy National Security Advisor Anne Neuberger then released a statement claiming President Joe Biden had “directed all government resources to investigate this incident” and urged anyone who thought they were compromised to alert the FBI.
Mr Biden suggested on Saturday that the United States would respond if it was determined that the Kremlin was involved. Less than a month ago, he urged Russian President Vladimir Putin to stop giving refuge to REvil and other ransomware gangs whose relentless extortion attacks the United States sees as a threat to the United States. national security.
On Monday, Putin’s spokesman Dmitry Peskov was asked whether Russia was aware of the attack or whether it had looked into it. He said no, but suggested it could be discussed by the United States and Russia in consultations on cybersecurity issues for which no timeline has been specified.
Wide range of victims
A wide range of businesses and public agencies have been affected by the latest attack, apparently on all continents, including in financial services, travel and leisure and the public sector, although few large companies, have reported the cybersecurity company Sophos. Ransomware criminals infiltrate networks and plant malware that cripples them by scrambling all of their data. Victims receive a decoder key when they pay.
Swedish grocery chain Coop said most of its 800 stores would be closed for a second day on Sunday because their cash register software provider was paralyzed. A Swedish chain of pharmacies, a chain of gas stations, the public railway and the public broadcaster SVT were also affected.
In Germany, an anonymous IT services company told authorities that several thousand of its customers were compromised, dpa news agency reported. Also among the reported victims were two large Dutch IT service companies, VelzArt and Hoppenbrouwer Techniek. Most ransomware victims do not publicly report attacks and do not disclose whether they have paid ransoms.
CEO Fred Voccola of the raped software company Kaseya estimated the number of victims to be a few thousand, mostly from small businesses like “dental practices, architectural firms, plastic surgery centers, libraries, things like that”.
The company said in a notice posted on its website Monday that it “unfortunately fell victim to a sophisticated cyberattack.”
Voccola said in an interview that only 50 to 60 of the company’s 37,000 customers have been compromised. But 70% were managed service providers who use the company’s pirated VSA software to manage multiple clients. It automates the installation of software and security updates and manages backups and other vital tasks.
Strategic timeline
Experts say it’s no coincidence that REvil launched the attack at the start of the July 4 holiday weekend, knowing that US offices would be understaffed. Many victims may not learn it until they return to work on Monday. Most end users of managed service providers “have no idea” what software is causing their networks to buzz, Voccola said,
Kaseya said she sent a detection tool to nearly 900 customers on Saturday night.
“We have been told by our external experts that customers who have been exposed to ransomware and who receive communications from attackers should not click on any links – they can be turned into a weapon,” the company warned.
REvil’s offer to offer global decryption to all victims of the Kaseya attack in exchange for $ 70 million suggested its inability to cope with the large amount of infected networks, company analyst Allan Liska said. of Recorded Future cybersecurity. Although analysts reported seeing requests of $ 5 million and $ 500,000 for larger targets, he was apparently asking for 45,000 for the most part.
“This attack is much bigger than expected and is getting a lot of attention. It is in REvil’s best interests to end it quickly,” Liska said. “It’s a nightmare to deal with.”
Analyst Brett Callow, of Emsisoft, said he suspected that REvil was hoping insurers could calculate the numbers and determine that the $ 70 million will cost them less than an extended downtime.
Kevin Reed of Acronis said the offer of a universal decryptor could be a publicity stunt because no human involvement would be required to pay a basic ransom demand of $ 45,000 apparently sent to the vast majority of targets. Analysts reported seeing requests of $ 5 million and $ 500,000 for larger targets, which would require negotiations.
Sophisticated ransomware gangs at the REvil level typically examine a victim’s financial records – and insurance policies if they can find them – from the files they steal before activating the ransomware. The criminals then threaten to dump the stolen data online unless they get paid. In this attack, this does not appear to have happened.
How they did
Dutch researchers said they alerted Miami-based Kaseya to the breach and said the criminals used a “zero day,” the industry term for a previous, unknown security flaw in software. Voccola has not confirmed this or provided details of the breach – except to say that it was not phishing.
“The level of sophistication here was extraordinary,” he said.
When cybersecurity firm Mandiant finishes its investigation, Voccola said he was confident it would show criminals not only violated Kaseya’s code by breaking into his network, but also exploited third-party software vulnerabilities.
It was not the first ransomware attack to exploit managed service providers. In 2019, criminals hampered the networks of 22 Texas municipalities through a single one. That same year, 400 U.S. dental offices were paralyzed in a separate attack.
One of the Dutch vulnerability researchers, Victor Gevers, said his team was concerned about products like Kaseya’s VSA because of the full control over the vast computing resources they can offer. “More and more products used to ensure network security have structural weaknesses,” he wrote in a blog on Sunday.
Cyber security firm ESET has identified victims in at least 17 countries, including the UK, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand and Kenya.
Kaseya says the attack only affected “on-premises” customers, with organizations running their own data centers, as opposed to its cloud-based services that run software for customers. However, he also shut down those servers as a precaution.
Kaseya, who on Friday called on customers to shut down their VSA servers immediately, said on Sunday that he hoped to have a fix in the coming days.
Active since April 2019, REvil provides ransomware-as-a-service, which means it develops the network crippling software and leases it to so-called affiliates who infect targets and earn the lion’s share of the ransoms. U.S. officials claim that the most powerful ransomware gangs are based in Russia and allied states and operate with the tolerance of the Kremlin and sometimes collude with Russian security services.
Businesses around the world are attacked with ransomware roughly every 11 seconds, according to Cybereason. The security company predicts that global ransomware losses this year will reach $ 20 billion.
Cybersecurity expert Dmitri Alperovich, from think-tank Silverado Policy Accelerator, said that while he doesn’t think the attack on Kaseya is Kremlin-led, it shows Putin “hasn’t budged yet” to stop cybercriminals.
[ad_2]
Source link