Thousands of Companies Likely Compromised in Latest Ransomware Attack

On the last day of June, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a new tool: the Ransomware Readiness Assessment. The tool is designed to give network administrators an evaluation tool for their cybersecurity practices.

Almost on queue, a gigantic, coordinated worldwide ransomware attack hit what is likely thousands of companies two days later. The attack Friday was perpetuated by REvil, the same group that disrupted global meat giant JBS in late May.

[Statistics on countries affected by darkweb ransomware]
There are 2,596 affected organizations in 84 countries.

[TOP 5]
1. USA (53.7%)
2. Canada (6.5%)
3. France (5.5%)
4. UK (5.3%)
5. Italy (3.8%) pic.twitter.com/7bVtx7jArI

— DarkTracer : DarkWeb Criminal Intelligence (@darktracer_int) July 6, 2021

The new attack is being called the Kaseya attack, because it used a vulnerability in IT services firm Kaseya to push the ransomware to multiple targets. (Kaseya has been issuing ongoing updates to the situation on its website.) As a managed service provider, Kaseya develops IT network administration tools and bundles them. It works with customers directly and it also provides the tools to IT contractors, who then deploy the tools to mostly small- and medium-sized business that outsource their IT infrastructure management.

The attackers compromised the system Kaseya used to push updates to its customers, thus infecting the networks of potentially thousands of companies. It was a particularly effective attack vector for ransomware, according to a report in WIRED.

“What’s interesting about this and concerning is that REvil used trusted applications in every instance to get access to targets. Usually ransomware actors need multiple vulnerabilities at different stages to do that or time on the network to uncover administrator passwords,” Sophos senior threat researcher Sean Gallagher told WIRED. “This is a step above what ransomware attacks usually look like.”

According to the Associated Press (AP), REvil’s primary target was the managed-service providers. The attackers were seeking ransom payments of $5 million from each of them, with demands from downstream customers scaling back considerably to as low as $45,000 in some reported cases.

REvil publicly took credit for the attack on Friday, claiming more than a million systems were infected. It offered a universal decryption key for $70 million, a price they reportedly are willing to drop to $50 million. The AP reports that the unusual move is being described as a public relations stunt or an indication that the attack is so widespread that it is overwhelming REvil’s capacity to manage it.

CISA, in conjunction with the FBI, issued guidance on Sunday for firms affected or potentially affected. The guidance includes a Kaseya VSA Detection Tool, as well as a list of procedures to follow, such as enforcing two-factor authentication and limiting remote management and monitoring to known IP addresses.

The nature of the attack vector means major public sector, utilities, and other critical infrastructure was largely spared. However, it is truly worldwide attack. The United States, Canada, and Sweden are hotspots, but the disruption ranged from schools in New Zealand to companies in Spain, Argentina, and Indonesia. A German IT services company, not yet publicly identified, told authorities that thousands of its customers were compromised.

One particularly hard hit company is Coop, a Swedish-based grocery store chain. The company uses Visma Esscom in its payment systems, and Visma Esscom uses Kaseya. Hundreds of its stores were shuttered, with many remaining closed through Monday—those that opened found alternative means to accept payment. To fix the issues caused by the ransomware attack, Reuters reports that technicians must go to each store and restore each register manually from backups. The process could take weeks.

In a brief press availability on Saturday, U.S. President Joe Biden referenced his recent conversation with Russian President Vladimir Putin, and said there would be a response if Russia was found to be involved. How tied REvil is to the Russian government, however, is not known.