Fallout continues from biggest global ransomware attack

  • Comments
  • Print
Listen to this story

Subscriber Benefit

As a subscriber you can listen to articles at work, in the car, or while you work out. Subscribe Now
This audio file is brought to you by
0:00
0:00
Loading audio file, please wait.
  • 0.25
  • 0.50
  • 0.75
  • 1.00
  • 1.25
  • 1.50
  • 1.75
  • 2.00

The single biggest ransomware attack yet continued to bite Monday as more details emerged on how a Russia-linked gang breached the exploited software company. The criminals essentially used a tool that helps protect against malware to spread it globally.

Thousands of organizations—largely firms that remotely manage the IT infrastructure of others—were infected in at least 17 countries in Friday’s assault. Kaseya, whose product was exploited, said Monday that they include several just returning to work.

Because the attack by the notorious REvil gang came just as a long Fourth of July weekend began, many more victims were expected to learn their fate when they return to the office Tuesday.

REvil is best known for extorting $11 million from the meat processor JBS last month. Security researchers said its ability to evade anti-malware safeguards in this attack and its apparent exploitation of a previous unknown vulnerability on Kaseya servers reflect the growing financial muscle of REvil and a few dozen other top ransomware gangs whose success helps them afford the best digital burglary wares. Such criminals infiltrate networks and paralyze them by scrambling data, extorting their victims.

REvil was seeking $5 million payouts from the so-called managed service providers that were its principal downstream targets in this attack, apparently demanding much less—just $45,000—from their afflicted customers.

But late Sunday, it offered on its dark web site to make available a universal decryptor that would unscramble all affected machines if it’s paid $70 million in cryptocurrency. Some researchers considered the offer a PR stunt, while others thought it indicates the criminals have more victims than they can manage.

Sweden may be hardest hit—or at least most transparent about the damage. Its defense minister, Peter Hultqvist, bemoaned in a TV interview “how fragile the system is when it comes to IT security.” Most of the Swedish grocery chain Coop’s 800 stores were closed for a third day, their cash registers crippled. A Swedish pharmacy chain, gas station chain, the state railway and public broadcaster SVT also were hit.

A wide array of businesses and public agencies were affected, including in financial services and travel, but few large companies were hit, the cybersecurity firm Sophos said. The United Kingdom, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand and Kenya were among countries affected, researchers said.

In a statement Sunday, deputy U.S. national security adviser Anne Neuberger urged all victims to alert the FBI. A day earlier, the FBI said in an alert that the attack’s scale “may make it so that we are unable to respond to each victim individually.”

The vast majority of ransomware victims are loathe to publicly admit it, and many avoid reporting attacks to law enforcement or disclosing if they pay ransoms unless required by law.

President Joe Biden said Saturday that he ordered a “deep dive” by U.S. intelligence into the attack and that the U.S. would respond if it determines the Kremlin is involved. In Geneva last month, Biden sought to pressure Russian President Vladimir Putin to end safe haven for REvil and other ransomware gangs that operate with impunity in Russia and allied states as long as they avoid domestic targets. The syndicates’ extortionary attacks have worsened in the past year.

On Monday, Putin spokesman Dmitry Peskov was asked if Russia was aware of the attack or had looked into it. He said no but suggested it could be discussed during U.S.-Russian consultations on cybersecurity issues. No date has been set for such consultations, and few analysts expect the Kremlin to crack down on a crime wave that benefits Putin’s strategic objectives of destabilizing the West.

Kaseya said Monday that fewer than 70 of its 37,000 customers were affected, though most were managed service providers with multiple downstream customers. Most managed service providers were apt to know by Monday if they were hit but that may not be true for many of the small and medium-sized organizations they serve, said Ross McKerchar, chief information security officer at Sophos. The MSPs are flying blind because the very software tool they use to monitor customer networks was knocked out by the attack.

The hacked Kaseya tool, VSA, remotely maintains customer networks, automating security and other software updates.

In a Monday report on the attack, Sophos said a VSA server was breached with the apparent use of a “zero day,” the industry term for a previously unknown software security hole. Like other cybersecurity firms, it faulted Kaseya for aiding the attackers by asking customers not to monitor its on-premise “working” folders for malware. From inside those folders, REvil’s code could work undetected to disable the malware- and ransomware-flagging tools of Microsoft’s Defender program.

Sophos said REvil made no attempt to steal data in this attack. Ransomware gangs usually do that before activating ransomware so they can threaten to dump it online unless they are paid. This attack was apparently bare bones, only scrambling data.

In a Sunday interview, Kaseya CEO Fred Voccola would not confirm the use of a zero day or offer details of the breach—except to say that it was not phishing and that he was confident that when an investigation by the cybersecurity firm is complete, it would show that not just Kaseya but third-party software were breached by the attackers.

Please enable JavaScript to view this content.

Story Continues Below

Editor's note: You can comment on IBJ stories by signing in to your IBJ account. If you have not registered, please sign up for a free account now. Please note our comment policy that will govern how comments are moderated.

4 thoughts on “Fallout continues from biggest global ransomware attack

    1. Interesting comment. Seemingly you are Republican, so it sounds like you believe that government has some responsibility to protect and regulate markets and industry.

      On that point, it seems we agree. Government does have some responsibility. I hope Republican politicians will see this and follow through with funding and support.

      However I will have to disagree in that I have seen NO mollycoddling for the Russians from this President.

    2. Fortunately, James P, you know next to nothing about hardcore technology, to even begin to discuss the subject at the surface level, let alone the bits ‘n bytes. Otherwise, you’d know the primary name of the exploit these hackers are using and how best to defend against the primary method of injection…and that your RINO Trump would have *no* idea where to begin defending against (as in blocking) it. Donald might have a chance of understanding it if Sesame Street were to begin broadcasting on FoxNews or NewsMax.

  1. I thought this was about the ransomware? But I guess everything is political these days. Biden is too weak to do anything. Biden will do whatever the Democratic party tells him to do. He doesn’t have the spine or desire to think for himself. The Republican party didn’t even like Trump because they couldn’t control him. Trump was more concerned about what would benefit America than playing politics or caring what the Republican’s wanted him to do. The only reason they backed him for a 2nd term was he was most likely to beat Biden. And he would have if the Democrats would have played fairly. But they couldn’t risk Trump beating them again.

Get the best of Indiana business news. ONLY $1/week Subscribe Now

Get the best of Indiana business news. ONLY $1/week Subscribe Now

Get the best of Indiana business news. ONLY $1/week Subscribe Now

Get the best of Indiana business news. ONLY $1/week Subscribe Now

Get the best of Indiana business news.

Limited-time introductory offer for new subscribers

ONLY $1/week

Cancel anytime

Subscribe Now

Already a paid subscriber? Log In

Get the best of Indiana business news.

Limited-time introductory offer for new subscribers

ONLY $1/week

Cancel anytime

Subscribe Now

Already a paid subscriber? Log In

Get the best of Indiana business news.

Limited-time introductory offer for new subscribers

ONLY $1/week

Cancel anytime

Subscribe Now

Already a paid subscriber? Log In

Get the best of Indiana business news.

Limited-time introductory offer for new subscribers

ONLY $1/week

Cancel anytime

Subscribe Now

Already a paid subscriber? Log In