Massive Kaseya attack demands up to $70 million ransom from more than 200 US businesses

Florida-based IT company Kaseya has been targeted in a ‘colossal’ ransomware attack, believed to be at the hands of the Russia-linked REvil group taking advantage of an existing vulnerability in its servers. The attack happened on Friday 2nd July, as businesses across the US wound down for the long Independence Day weekend.

According to Kaseya, an application running its corporate servers, computers and other network-connected devices was compromised as a result of this attack. The IT company, which has more than 36,000 customers in over ten countries, has since asked users to shut down their servers urgently.

So far, it is understood that REvil targeted Kaseya’s servers and from there was able to focus on encrypting the associated managed service providers (MSPs) and their customers, including the Swedish Coop supermarket chain, a customer of Visma EssCom.

However, since its initial demands, the REvil gang is already raising its ransom; just days after the attack, the group supposedly demanded between $40,000 and $45,000 per encrypted file extension. For context, each victim MSP has several files encrypted by REvil, with one victim revealing that the criminal gang demanded half a million dollars to decrypt its 12 ransomed files. REvil is also offering a universal decryptor, via its leak site, for a staggering $70 million.

In an alleged interview, the group spoke to XSS prior the attack, the full video of which can be heard here in Russian. In this translation, the group elaborates on the nature of its ransomware:

Russian OSINT: ” REvil deposited a million dollars on a hacker forum. ” – this is how a big headline in Hacker magazine sounded just recently. ” Thus, hackers want to prove to potential partners that they are serious about the matter, ” Maria Nefyodova wrote in the article. As an ordinary person, together with the audience, it is interesting to know what REvil is or what is it called Sodinokibi? Do I understand correctly that the encryption program Is REvil being used to get ransoms from organizations in the event of a successful attack?

REvil: REvil (or as the information security vendors call it) is a cryptographer written in C. Yes, the program encrypts user files, thereby restricting access to them. For a successful attack, it is also necessary to liquidate backups (NAS and TAPE storages, for example) and “merge” as much information as possible to yourself. Very often they pay not for the fact of encryption, but for the fact that these files do not get into public access. An example of how not to do it is Travelex. In my memory, as a result of our attack, they simply went bankrupt due to the fall in shares.

Russian OSINT: As journalists write, Revil operates on the RAAS (Ransomware-as-a-Service) model, under this agreement, affiliates and ransomware developers share the proceeds from the ransom. Is it true that with such a “division of labor”, malware developers get a 20-30% share, while distributors get 70-80% of the ransoms received? 

REvil: Yes it is. Distributors do the bulk of the work, and software is just a tool. I think this is fair.

The group went on to discuss the exact arrangements when leasing its RaaS, and how finances are divided between it and its partners:

Russian OSINT: What service options do you provide to your partners today? 

REvil : Negotiations, pressure on the organization. Well, the software itself. Receiving a ransom, providing a decoder. 

Russian OSINT: Once again, I want to capture an important point for viewers: when a partner asks you to provide him with your service, do you lease REvil to him? That is, the partner does not control the encryptor and does not know how its filling works … he only uses the finished product. Right? 

REvil: We provide software and our own negotiation services. The partner’s task is to infect the network and kill backups. Download files. Everything. The rest is our concern. 

Russian OSINT: If an organization pays a ransom, does the money go to you first, and then you distribute it among the partners? 

REvil: Immediately automatically distributed by the system. But the original wallet is of course ours.

Turning our attention back to this attack, the ransomware group has said that only the networks have been encrypted and that, at the time of writing this blog, none of the victims’ data has been stolen to be used as leverage – though this could change as negotiations continue.

Though the ransom in this case is indeed large, it would account for only a percentage of what the group makes annually, which it revealed via the alleged interview to be ‘more than $100 million a year.’

Beyond asking its customers to shut down their servers immediately, Kaseya is also working to create a patch for the vulnerability that allowed Friday’s attack to occur. Unfortunately for Kaseya’s customers, the damage is already done.

Speaking of future campaigns, the group allegedly announced another attack on a well known game developer is imminent:

Russian OSINT: When I was preparing for the release, I must admit that I did not fully realize how serious Ransomware is and, in particular, Revil is involved in a number of high-profile scandals, it is mentioned by such authoritative media as Forbes, Wallstreet Journal, BBC, Security Lab, Xakep , Cyberbeast, even on Wikipedia … ..What TOP-3 public attacks of REvil do you think are the most resonant?

REvil: Travelex, Grubman and Texas 23 counties. This is for a moment. There will be one more very loud attack, but we will not advertise it for now. I will just say that she is connected with a very large game developer.

Blueliv’s advice

As ransomware attacks continue to dominate headlines the world over, Blueliv advises would-be victims to look for tools that can early detect and/or mitigate such attacks. One such tool is Blueliv’s Threat Context. In the face of ransomware attacks, Blueliv’s Threat Context module pivots the initial threat before it can cause a complete breach, thanks to its 220 million-plus database of items that allow users to identify associated malware, campaigns, exploited common vulnerabilities and exposures (CVE).

Users can then prioritize their CVE and, using a score-based analysis of the ransomware, correlate them with existing campaigns. Threat Context also allows users to hunt down malware via Blueliv’s sandbox analysis and receive in-depth analysis of the threat straight from the Blueliv Labs team.

To ensure organizations are not swept up in future attacks, Blueliv urges SOC teams to incorporate sophisticated threat intelligence platforms that can help them survive attacks of this magnitude.Massive Kaseya attack demands up to $70 million ransom from more than 200 US businesses.

What is Threat Intelligence and why is it important?

Learn more
Demo Free Trial MSSP