Last weekend did not start out so nice. The hacking group behind what media is calling ‘colossal ransomware attack’ has demanded $70m (£50.5m) paid in Bitcoin in return for a "universal decryptor" that it says will unlock the files of all victims. The Russian associated REvil group is saying its malware, which initially targeted US IT firm Kaseya, has hit one million "systems."
This number has not been totally verified and the exact total of victims is unknown. Yet, victims include 500 Swedish Coop supermarkets and 11 schools in New Zealand. Two Dutch IT firms have also been hit, according to local media reports. The day of the attack, 2 July, cyber-security firm Huntress Labs estimated about 200 firms had been affected. The "supply chain" attack initially targeted Kaseya, before spreading through corporate networks that use its software. Kaseya said that fewer than 40 of its own customers had been affected. Because Kaseya provides software to managed service providers, firms which themselves provide outsourced IT services to other companies, the number of victims is likely much greater. And the number of individual computer systems within those victim organizations could be greater still.
Kaseya chief executive told media that the number of victims would probably be in the low thousands, made up of small organizations such as dental practices and libraries. For hundreds, perhaps thousands, of IT teams around the world this ransomware attack is a horrendous headache that is still growing. But the way the cyber-security world has pulled together to reduce the impact of the attack has been very commendable. Cyber-defenders, both private and public sector, have been issuing alerts while experts work out how best to untangle the web of victims.
There could have been far more victims if it wasn't for a busy and stressful weekend of work. The confidential digital path in the Kaseya system that let in the REvil hackers was known about before the attack. Researchers from the Dutch Institute for Vulnerability Disclosure found the problem and were helping Kaseya plug the hole long before the hackers found it. These researchers were a case of the good hackers racing to stop the bad hackers from getting in and as a Dutch analyst from the institute puts it, "Unfortunately, we were beaten by REvil in the final sprint."
This current attack indicates just how skilled, persistent and determined these criminals are, and that in spite of all the efforts of the cyber-security world and some believe that we are losing the race against ransomware. “The scale and sophistication of this global crime is rare, if not unprecedented," said the founder of the UK’s National Cyber Security Center. Most of REvil's members are believed to be based in Russia or countries that were formerly part of the Soviet Union. The cyber security source is criticizing Russia for providing a safe environment for ransomware hackers, but said that the West was making it too easy for these gangs to be paid and "unsurprisingly they are coming back for more." Experts have expressed surprise at the group's demand that the ransom should be paid in Bitcoin, as opposed to harder-to-trace cryptocurrencies such as Monero. Some researchers called REvil's decision to demand payment in Bitcoin, "weird."
Earlier this month the US Justice Department announced it had traced and seized millions of dollars’ worth of Bitcoin paid to the DarkSide ransomware group, responsible for shutting down the Colonial Oil Pipeline. "Following the money remains one of the most basic, yet powerful tools we have", said a Deputy US Attorney General.
The founder and chief scientist of the firm Elliptic, which analyses Bitcoin payments, said he had observed REvil continuing to negotiate with individual customers for smaller ransoms of about $200,000, despite the $70m request to unlock everything. He said REvil preferred to use Monero, but it would be difficult to purchase $70m of the currency for practical and regulatory reasons. "More and more ransomware operators are asking for Monero," he said.
At Red Sky Alliance, we can help INFOSEC teams with services beginning with cyber threat notification, analysis and complete elimination of cyber threat from both the inside and outside of networks. Our analysts will be happy to hold a brief call with your team members to help them better prepare for cyberattacks, malware and ransomware. And what if this call led to savings in current duplicated services and forecasted need for additional personnel?
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org.
Interested in a RedXray subscription to see what we can do for you? Sign up here: https://www.wapacklabs.com/RedXray
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941