The REvil ransomware gang has taken credit for the Kaseya attack that has affected more than 1,000 companies worldwide and prompted an investigation by U.S. intelligence agencies. The criminals are asking for a $70 million ransom in bitcoin to publish a public universal decryptor that will unlock all affected computers.
As reported by the Record, REvil posted a message accepting responsibility for the attack on its dark web blog. The ransomware gang, which had been suspected of being the culprit before it went public, also shed further light on the purported scale of the attack, claiming that more than one million systems were infected. Kaseya reported the attack last Friday.
REvil, also known as Sodinokibi, is a notorious cybercriminal gang that has used ransomware to go after big name companies, including Apple and Acer. Most recently, it targeted JBS, the world’s largest meat processing company, which paid it $11 million in bitcoin to mitigate fallout from the attack and protect its data.
“On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected,” the REvil gang said, according to the Record. “If anyone wants to negotiate about universal decryptor–our price is 70 000 000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour. If you are interested in such deal–contact us using victims ‘readme’ file instructions.”
Dana Liedholm, a Kaseya spokesperson, told Gizmodo on Monday that the FBI and other independent groups have said with confidence that REvil had carried out the attack and that the company was trusting these experts.
“Regarding ransom we are not commenting on this as it’s a criminal investigation and we can’t at this time,” Liedholm said.
The Kaseya attack is what’s known as a software supply chain ransomware attack, in which a cyber threat actor infiltrates a software vendor’s network and sends malicious code to compromise the software before the vendor sends it out to its customers. The infected software then affects the customers’ data or systems. The hackers that targeted SolarWinds’ software used this type of attack to infiltrate major U.S. federal agencies and corporations.
Kaseya, meanwhile, sells its products to managed service providers, or MSPs, which are companies that provide remote IT services to hundreds of smaller businesses that don’t have the resources to assume those functions themselves. MSPs use Kaseya’s VSA cloud platform to manage and send software updates to these businesses as well as resolve other issues.
In Kaseya’s case, initial reports state that REvil gained access to the company’s backend infrastructure and used it send an update with malware to VSA servers running on client premises. The malicious update then installed the ransomware from the VSA server on all connected computers, the Record states. This, in turn, spread the ransomware to other companies that were connected to the VSA systems. Nonetheless, specifics on the attack are still uncertain, and information is evolving constantly.
In its Monday update at 1 p.m. ET about the situation, Kaseya said that all on-premises VSA servers should continue to remain offline until customers receive instructions from Kaseya about when it’s safe to restore operations. On Sunday, Kaseya CEO Fred Voccola said the company knew how the attack had happened and that it was remediating it.
If Kaseya, or any of the other companies affected, pay REvil’s $70 million ransom, it would be the highest ransomware payment ever made.