The hackers behind a major cyberattack which impacted hundreds of companies over the weekend have demanded a sizable ransom to free up seized data.
A Russian-linked hacker syndicate, the infamous REvil group, claimed responsibility for the attack on Sunday.
“We launched an attack on MSP providers,” the group said in a statement posted on the dark web. “More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70 000 000$ in BTC and we will publish publicly.”
At least 200 US companies have been impacted by the cyberattack, which escalated rapidly on Friday.
Hackers were able to cripple dozens of companies by compromising software provided by Kaseya, a US-headquartered software and IT management firm.
Kaseya’s Virtual System/Server Administrator product enables users to automate and manage tasks, including patches and updates.
These products are commonly used by Managed Service Providers (MSPs), which according to researchers at Quorum Cyber meant the attackers were able to target many organisations across a diverse range of sectors.
“These MSPs provide IT services and server hosting for a wide variety of other organisations,” says Quorum Cyber’s Mark Cunningham-Dickie. “By targeting one organisation, the MSP, it allowed the hackers to impact and ransom many.”
This domino effect in the wake of the Kaseya attack has led to widespread disruption across a range of industries. Coop, one of Sweden’s leading grocery chains, was forced to close hundreds of stores across the country over the weekend.
Security researchers have also warned that thousands of other businesses and public organisations may have been indirectly affected by the breach, including schools, credit unions, accountancy firms and public sector authorities.
Quorum Cyber’s Incident Response team was one of many that burned the midnight oil this weekend fighting to mitigate the impact of the attack, the timing of which is a key talking point, according to Head of Managed Services, David McKenzie.
Coinciding with the American Independence Day weekend, the Kaseya attack sought to destabilise and wreak havoc during a period where many organisations in the US operate at a reduced capacity.
“This was a conscious decision by the threat actors to inflict damage when there would be reduced resources to deal with it,” he said.
“With the time zone difference, this meant that UK organisations were alerted to the issues in the late evening; again when resources and, for most companies, the ability to react may be diminished.”
Kaseya’s initial advice for organisations to shut devices was wise, McKenzie notes; it ensured that a device cannot be used as part of the ongoing attack.
However, this caused certain limitations for teams scrambling to mitigate the scale of the problem.
“Unfortunately, in shutting servers down it removed the ability to perform forensic analysis on what was happening in the device’s memory, where vital Indicators of Compromise (IoC’s) might have been gained,” he says.
“This meant that we could only look for indicators of compromise that were written to disk, so files, file access information, registry entries, some commands, and internet connectivity history.”
Kaseya has posted regular updates throughout the incident to inform customers of the situation as it unfolded. The firm also released a compromise detection tool on Saturday, which hundreds of organisations raced to use.
This isn’t the first time the REvil hacker group has grabbed headlines in recent months.
In June, the syndicate claimed responsibility for the attack which disrupted JBS, a major meat supplier. JBS subsequently paid the hacker group $11 million to gain access to company systems.
Earlier this year, the Colonial Pipeline attack also marked a concerning escalation.
Although cybercriminal elements and state-linked hacker groups have grown in sophistication in recent years, Cunningham-Dickie says this latest attack raises new questions about capabilities – thus far it appears there was a critical oversight.
Notably, Cunningham-Dickie and McKenzie both agree that this “wasn’t the smartest bit of ransomware”.
“It was really bizarre because the ransomware itself actually disabled Sophos, so they were obviously thinking that they needed to disable anti-virus, but they only thought Sophos, not the others,” Cunningham-Dickie explains.
“If they had taken down others, this would’ve prevented triggering a lot more alerts. It’s strange that they’ve clearly thought about this, but not fully followed through. It could be an oversight on their part.”
- Leader Insights | TJ Gonen, Head of Cloud Security at Check Point Software
- 74% of merchants to offer open banking in long-term plans
- Nearly one million Scottish premises reached as broadband scheme “exceeded expectations”
The hackers behind the Kaseya attack are undoubtedly capable, Cunningham-Dickie adds. After all, they targeted a specific piece of software and timed their attack to perfection.
To then be let down by focusing solely on Sophos anti-virus highlights the “disparate nature of the groups, as well as the varying skillsets”.
Looking ahead to the latter half of 2021, Cunningham-Dickie believes organisations will continue to face an increasingly perilous cybersecurity landscape.
“I’d like to think that it’s going to drop off toward the end of the year, because we have seen other [hacker] groups stating that they are stopping and making their code open source,” he says.
“However, the likes of REvil, the likes of Conte, they’ve not slowed down. They’ve not shown any concern with regard to increased attention [from law enforcement]. I suspect that these players are going to stick around through the latter part of this year.”
Similarly, McKenzie believes the scale of this latest attack will add fuel to the fiery debates raging around ransomware and how to tackle it.
“The biggest concern for many organisations is the extraction of data. That has added an entirely different skew on things over the last year,” he says.
“This is the alarming bit for many, and this will make the ‘do you pay ransom question’ a far more difficult one to answer.”