Russian ransomware group demands $70 million in Kaseya attack

Meanwhile, Kaseya plays down the severity of the attack, describing it as “greatly overstated”

Posted 7 July 2021 by Christine Horton

The gang behind the latest big US ransomware attack has demanded $70 million (£50.5 million) to release a “universal decryptor” that it says will unlock the files of all victims.

It was initially revealed that the attack on Friday targeted 200 US customers of IT company Kaseya.

The REvil group claims its malware, which targeted US IT firm Kaseya, has hit one million systems.

However, this number has not been verified and the exact total of victims is unknown. In a press release issued by Kaseya, the firm said the attack “had limited impact”, with approximately 50 of its 35,000 Kaseya managed service provider (MSP) customers being breached, and up to 1500 end-customer businesses.

Kaseya CEO Fred Voccola said that “the impact of this highly sophisticated attack has proven to be, thankfully, greatly overstated.”

Kaseya said it acted quickly, “saving thousands of small and medium-sized businesses from suffering a devasting impact.”

According to the release, Kaseya was alerted to a potential attack at approximately 2pm EST by internal and external source. Within an hour, “in an abundance of caution”, Kaseya had shut down access to the software in question.

The company is now working alongside various government agencies and a leading incident response team to support those impacted.

The BBC reports that the figure includes 500 Swedish Coop supermarkets and 11 schools in New Zealand. Two Dutch IT firms have also been hit, according to local media reports.

“While impacting approximately 50 of Kaseya’s customers, this attack was never a threat nor had any impact to critical infrastructure,” said the firm.

“Many of Kaseya’s customers are managed service providers, using Kaseya’s technology to manage IT infrastructure for local and small businesses with less than 30 employees, such as dentists’ offices, small accounting offices and local restaurants. Of the approximately 800,000 to 1,000,000 local and small businesses that are managed by Kaseya’s customers, only about 800 to 1,500 have been compromised.”

Working with government agencies

“Our global teams are working around the clock to get our customers back up and running,” said Fred Voccola, CEO, Kaseya. “We understand that every second they are shut down, it impacts their livelihood, which is why we’re working feverishly to get this resolved.”

Kaseya said it is actively engaged with various governmental agencies including the FBI, CISA, Department of Homeland Security and the White House. Computer incident response firm FireEye Mandiant IR is also working with Kaseya to mitigate the effects of the attack,

“This is a collaborative effort to remediate the issue and identify the parties responsible so they may be held accountable,” added Voccola. “We are beyond grateful for their assistance getting our customers back online. The immediate action-oriented and solution-based approach of CISA and the FBI, with tremendous overall support from the White House, has proven to be a huge help in ensuring that this attack led only to a very small number of impacted customers.”

Additionally, Kaseya IT Complete, the company’s suite of IT management and monitoring products “was minimally affected by the breach. Out of its 27 modules, only one, VSA, was compromised,” said Kaseya.

UK victims

On Monday a spokesperson said the NCSC was “actively working to fully understand this incident and mitigate potential risks to the UK.

“At this stage we have seen evidence of a limited impact to UK organisations, though our work is ongoing and we remain vigilant to any threats,” it noted.

Meanwhile, Tom Robinson, founder and chief scientist of the firm Elliptic, which analyses bitcoin payments, told the BBC it had also observed REvil continuing to negotiate with individual customers for smaller ransoms of about $200,000, despite the $70m request to unlock everything.