1 million infected systems, $70 million to save them: Kaseya ransomware attack

Businesses around the world were crippled on Saturday as a new ransomware attacked software services provider Kaseya affecting organizations all over the world. The group is now demanding $70 million as ransom from the software firm, reported Wall Street Journal.

The REvil group, which is behind the attack, is demanding $70 million from the company, to restore all the encrypted data. The ransomware group is open to receiving amounts varying between $25,000 and $5 million from the affected organizations directly, to unlock their systems, even if nobody pays them $70 million.

The attackers changed a Kaseya tool called VSA, used by IT professionals to manage servers, desktops, network devices, and printers. They encrypted the files of the customers of the business providers that used the tool forcing many businesses to temporarily or partially shutdowns all over the world. 

Swedish Coop grocery store chain had to close all 800 of its stores because it could not operate its cash registers.

Kaseya has released a detection tool for users to check whether the system has been compromised or not.

In a video message, Kaseya CEO Fred Voccola assured its customers that the company was taking adequate measures to ensure its VSA customers are back online, securely. He denied the possibility of any critical infrastructure related to national security, being attacked and conveyed the same to the White House.

The Dutch Institute for Vulnerability Disclosure (DIVD) had warned Kaseya of a possible vulnerability but the company was still working on a patch when it was breached and its software updates were compromised, reported New York Times.

REvil or Ransomware Evil is a private ransomware-as-a-service (RaaS) operation which is presumed to be based in Russia since it does not attack Russia or former Soviet nations. It is supposed to have emerged from what was earlier known as the hacker group, GandCrab, due to similarities in their code. 

The group was infamous for its attack on meat supplier JBS group, forcing a temporary shutdown of all the company’s U.S. beef plants and disrupted operations at poultry and pork plants. The company had to pay $11 million in Bitcoin as ransom to the group.

The group claimed to have infected 40,000 computers on Saturday. By Sunday, the claim swelled to a million, which cybersecurity experts consider being incredulous.

As of Tuesday, all on-premises VSA Servers continue to remain offline until further official instructions on restoring safe operations. A patch is required to be installed before restarting the VSA and a set of recommendations on how to increase your security posture, wrote DIVD in a blog update.

(With inputs from Wall Street Journal)

Picture Credits: Miami Herald