Russian-based hackers launched a cyberattack on at least 200 information technology management firms in the United States and demanded up to $5 million in ransom, it has been revealed.
The REvil gang, a major Russian-speaking ransomware syndicate that was linked to the meat processor JBS hacking incident, appears to be behind the attack despite President Joe Biden‘s threat earlier this month of ‘retaliation’ to Russian President Vladimir Putin if the hacks continued.
The massive scale of the attack, which paralyzed the networks of at least 200 U.S. companies on Friday, was revealed by a cybersecurity researcher whose company was responding to the incident.
John Hammond of the security firm Huntress Labs said the criminals targeted a software supplier called Kaseya, which earlier in the day had said in a press release that the ‘potential attack’ had been ‘limited to a small number of on-premise customers only.’
‘We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us,’ the company wrote.
‘Its critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA.’
The REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack despite President Joe Biden’s threat of ‘retaliation’ to Russian President Vladimir Putin if they continued
The extent of the hacking incident was revealed by Huntress Labs, which responded to the incident
Kyle Hanslovan, CEO of Huntress Labs, said the hackers demanded a ransom of $5 million from at least one of the companies
It came after Kaseya earlier in the day had said in a press release that the ‘potential attack’ had been ‘ limited to a small number of on-premise customers only’
The hackers used Kaseya’s network-management package as a conduit to spread the ransomware through cloud-service providers, Hammond said. Other researchers agreed with Hammond’s assessment.
‘Kaseya handles large enterprise all the way to small businesses globally, so ultimately, (this) has the potential to spread to any size or scale business,’ Hammond told the Associated Press in a direct message on Twitter.
‘This is a colossal and devastating supply chain attack.’
Such cyberattacks typically infiltrate widely used software and spread malware as it updates automatically.
It was not immediately clear how many Kaseya customers might be affected or who they might be.
Kyle Hanslovan, CEO of Huntress Labs, told CNN that the attackers demanded a ransom of $5 million from at least one of the companies.
Cyber security expert Kevin Beaumont tweeted that the REvil ransom sought about $45,000 per victim, but added that ‘there’s no way to pay it.’
‘The payload has Donald Trump references (makes a change to references to Biden being a pedo etc),’ Beaumont tweeted. ‘It’s all one affiliate a la Darkside, so it’s possible they did too wide targeting (ie made a boo boo).’
Cyber security expert Kevin Beaumont tweeted that the REvil ransom sought about $45,000 per victim,
He said that REvil also made references to Black Lives Matter in the registry key set of their ransomware attack.
Beaumont said that Kaseya ‘have shut down Kaseya Cloud entirely.’
Brett Callow, a ransomware expert at the cybersecurity firm Emsisoft, said he was unaware of any previous ransomware supply-chain attack on this scale. There have been others, but they were fairly minor, he said.
‘This is SolarWinds with ransomware,’ he said.
Callow’s comment referred to a Russian cyberespionage hacking campaign discovered in December that spread by infecting network management software to infiltrate U.S. federal agencies and scores of corporations.
Cybersecurity researcher Jake Williams, president of Rendition Infosec, said he was already working with six companies hit by the ransomware. It’s no accident that this happened before the Fourth of July weekend, when IT staffing is generally thin, he added.
‘There’s zero doubt in my mind that the timing here was intentional,’ he said.
The REvil gang, a major Russian-speaking ransomware syndicate that was linked to the meat processor JBS hacking incident, appears to be behind the attack
Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, tweeted about the attack
Hammond of Huntress said he was aware of four managed-services providers — companies that host IT infrastructure for multiple customers — being hit by the ransomware, which encrypts networks until the victims pay off attackers.
He said thousand of computers were hit.
‘We currently have three Huntress partners who are impacted with roughly 200 businesses that have been encrypted,’ Hammond said.
Hammond wrote on Twitter: ‘Based on everything we are seeing right now, we strongly believe this (is) REvil/Sodinikibi.’ The FBI linked the same ransomware provider to a May attack on JBS SA, a major global meat processer.
U.S. President Joe Biden and Russian President Vladimir Putin meet during the U.S.-Russia summit on June 16
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency said in a statement late Friday that it is closely monitoring the situation and working with the FBI to collect more information about its impact.
CISA urged anyone who might be affected to ‘follow Kaseya’s guidance to shut down VSA servers immediately.’ Kaseya runs what’s called a virtual system administrator, or VSA, that’s used to remotely manage and monitor a customer’s network.
Christopher Krebs, former CISA director, said on Twitter that: ‘News Flash: cybercriminals are a$holes.’
‘Keep all the Incident Response teams in mind this holiday weekend as they’re in the thick of it…again,’ Krebs wrote.
‘If you use Kaseya VSA, shut it down *now* until told to reactivate and initiate IR.’
The privately held Kaseya says it is based in Dublin, Ireland, with a U.S. headquarters in Miami. The Miami Herald recently described it as ‘one of Miami’s oldest tech companies’ in a report about its plans to hire as many as 500 workers by 2022 to staff a recently acquired cybersecurity platform.
Brian Honan, an Irish cybersecurity consultant, said by email Friday that ‘this is a classic supply chain attack where the criminals have compromised a trusted supplier of companies and have abused that trust to attack their customers.’
He said it can be difficult for smaller businesses to defend against this type of attack because they ‘rely on the security of their suppliers and the software those suppliers are using.’
The only good news, said Williams, of Rendition Infosec, is that ‘a lot of our customers don’t have Kaseya on every machine in their network,’ making it harder for attackers to move across an organization’s computer systems.
That makes for an easier recovery, he said.
Active since April 2019, the group known as REvil provides ransomware-as-a-service, meaning it develops the network-paralyzing software and leases it to so-called affiliates who infect targets and earn the lion’s share of ransoms.
REvil is among ransomware gangs that steal data from targets before activating the ransomware, strengthening their extortion efforts.
The average ransom payment to the group was about half a million dollars last year, said the Palo Alto Networks cybersecurity firm in a recent report.
Some cybersecurity experts predicted that it might be hard for the gang to handle the ransom negotiations, given the large number of victims — though the long U.S. holiday weekend might give it more time to start working through the list.
Earlier this month, Biden did not rule out retaliation against Russian President Vladimir Putin for cyber attacks on American companies, saying: ‘We’re looking closely at that issue.’
However, when asked if he believed he was being tested by his Russian counterpart, Biden said: ‘No.’
White House Press Secretary Jen Psaki has said that Biden ‘certainly thinks that President Putin and the Russian government has a role to play in stopping and preventing’ cyber attacks on U.S. companies.
Earlier this month, it was also revealed that the U.S. Department of Justice is elevating investigations of ransomware attacks to a similar priority as terrorism in the wake of the Colonial Pipeline hack and mounting damage caused by cyber criminals, a senior department official told Reuters.
The letter was sent to Deputy Attorney General Lisa Monaco and was titled ‘Guidance Regarding Investigations and Cases Related to Ransomware and Digital Extortion’
Internal guidance sent to U.S. attorney’s offices across the country said information about ransomware investigations in the field should be centrally coordinated with a recently created task force in Washington.
The letter was sent to Deputy Attorney General Lisa Monaco and was titled ‘Guidance Regarding Investigations and Cases Related to Ransomware and Digital Extortion,’ according to Cyber Scoop News which obtained a copy of the letter.
‘Recent ransomware attacks – including the attack last month on Colonial Pipeline – underscore the growing threat that ransomware and digital extortion pose to the Nation, and the destructive and devastating consequences ransomware attacks can have on critical infrastructure,’ Monoco wrote in the letter.
‘A central goal of the recently launched Ransomware and Digital Extortion Task Force is to ensure that we bring to bear the full authorities and resources of the Department in confronting the many dimensions and root causes of this threat.’
The guidance added: ‘To ensure we can make necessary connections across national and global cases and investigations, and to allow us to develop a comprehensive picture of the national and economic security threats we face, we must enhance and centralize our internal tracking.’