‘Russian hackers’ REvil demand $70 MILLION ransom in Bitcoin for decryption key after global cyberattack affected at least 1,000 US firms amid claims Biden’s response to Putin has been weak
The Russian-linked hacking group REvil has demanded $70 milioni in Bitcoin for the decryption key to unlock its ransomware after they said more than one million systems were attacked.
Satnam Narang, a researcher at cyber exposure company Tenable, tweeted a screenshot of a blog post the hacking collective had posted on the dark web site ‘Happy Blog.’
'Di venerdì (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected,’ the post from REvil reads.
‘If anyone wants to negotiate about universal decryptor – our price is 70 000 000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour.’
The post adds: ‘If you are interested in such deal – contact us using victims ‘readme’ file instructions.’
REvil was demanding ransoms of up to $5 milioni.
Less than a month ago, Biden pressed Russian President Vladimir Putin to stop giving safe haven to REvil and other ransomware gangs
Satnam Narang, a researcher at cyber exposure company Tenable, tweeted a screenshot of a blog post the hacking collective had posted on the dark web
Cybersecurity teams worked feverishly Sunday to stem the impact of the single biggest global ransomware attack on record, with some details emerging about how the Russia-linked gang responsible breached the company whose software was the conduit.
An affiliate of the notorious REvil gang, best known for extorting $11 million from the meat-processor JBS after a Memorial Day attack, infected thousands of victims in at least 17 countries on Friday, largely through firms that remotely manage IT infrastructure for multiple customers, cybersecurity researchers said.
Prima, the FBI said in a dichiarazione that while it was investigating the attack its scale ‘may make it so that we are unable to respond to each victim individually.’
Deputy National Security Advisor Anne Neuberger later issued a statement saying President Joe Biden had ‘directed the full resources of the government to investigate this incident’ and urged all who believed they were compromised to alert the FBI.
The president told reporters Saturday that it is not yet clear who is behind the latest cybersecurity breach to strike American businesses but insisted that he ‘will respond’ if it is tied to Russian President Vladimir Putin.
‘We’re not sure who it is,’ Egli ha detto, while he celebrated the start of July 4 weekend at a cherry farm in Central Lake, Michigan.
‘The initial thinking was it was not the Russian government but we’re not sure yet.’
Ha aggiunto: ‘If it is either with the knowledge of and/or a consequence of Russia, then I told Putin we will respond.’
House Minority Leader Kevin McCarthy tweeted on Saturday, referencing news from June that Biden had given Russian president Vladimir Putin a list of targets that were off-limits to cyber attacks
‘Remember when President Biden gave Putin a list of things that were supposed to be off-limits for cyber attacks? What he SHOULD have said is that ALL American targets are off-limits,’ McCarthy tweeted
Less than a month ago, Biden pressed Russian President Vladimir Putin to stop giving safe haven to REvil and other ransomware gangs whose unrelenting extortionary attacks the U.S. deems a national security threat.
President Joe Biden has been slammed as ‘weak against Putin’ for his allegedly slow response to a global cyberattack that has affected at least 1,000 companies in the United States, and has been linked to Russian hackers.
House Minority Leader Kevin McCarthy tweeted on Saturday, referencing news from June that Biden had given Russian president Vladimir Putin a list of targets that were off-limits to cyber attacks.
‘Remember when President Biden gave Putin a list of things that were supposed to be off-limits for cyber attacks? What he SHOULD have said is that ALL American targets are off-limits,’ McCarthy tweeted.
Ha aggiunto: ‘Biden is soft on crime and weak against Putin.’
A broad array of businesses and public agencies were hit by the latest attack, apparently on all continents, including in financial services, travel and leisure and the public sector – though few large companies, cybersecurity firm Sophos reported.
Ransomware criminals infiltrate networks and sow malware that cripples them by scrambling all their data. Victims get a decoder key when they pay up. Most ransomware victims don’t publicly report attacks or disclose if they’ve paid ransoms.
The Swedish grocery chain Coop said most of its 800 stores would be closed for a second day Sunday because their cash register software supplier was crippled. A Swedish pharmacy chain, gas station chain, the state railway and public broadcaster SVT were also hit.
un rapporto del Commons Transport Committee ha rilevato che i contribuenti devono affrontare un conto da far venire l'acquolina in bocca da 35 miliardi di sterline per colmare il divario creato dal passaggio alle auto elettriche, an unnamed IT services company told authorities several thousand of its customers were compromised, the news agency dpa reported. Also among reported victims were two big Dutch IT services companies — VelzArt and Hoppenbrouwer Techniek.
CEO Fred Voccola of the breached software company, Kaseya, estimated the victim number in the low thousands, mostly small businesses like ‘dental practices, architecture firms, plastic surgery centers, biblioteche, things like that.’
Voccola said in an interview that only between 50-60 of the company’s 37,000 customers were compromised. Ma 70% were managed service providers who use the company’s hacked VSA software to manage multiple customers. It automates the installation of software and security updates and manages backups and other vital tasks.
Experts say it was no coincidence that REvil launched the attack at the start of the Fourth of July holiday weekend, knowing U.S. offices would be lightly staffed. Many victims may not learn of it until they are back at work on Monday. Most end users of managed service providers ‘have no idea’ whose software keep their networks humming, said Voccola,
Kaseya said it sent a detection tool to nearly 900 customers on Saturday night.
Cyber attack on US IT provider forces Swedish grocery store chain to close ALL 800 I negozi
The Swedish Coop grocery store chain closed all its 800 stores on Saturday after the ransomware attack on Kaseya left it unable to operate its cash registers.
According to Coop, one of Sweden’s biggest grocery chains, a tool used to remotely update its checkout tills was affected by the attack, meaning payments could not be taken.
‘We have been troubleshooting and restoring all night, but have communicated that we will need to keep the stores closed today,’ Coop spokesperson Therese Knapp told Swedish Television.
The Swedish news agency TT said Kaseya technology was used by the Swedish company Visma Esscom, which manages servers and devices for a number of Swedish businesses.
State railways services and a pharmacy chain were also impacted by the attack.
‘They have been hit in various degrees,’ Visma Esscom chief executive Fabian Mogren told TT.
Defence Minister Peter Hultqvist told Swedish Television the attack was ‘very dangerous’ and showed business and state agencies need to better prepare. ‘In a different geopolitical situation, it may be government actors who attack us in this way in order to shut down society and create chaos,’ Egli ha detto.
The REvil offer to offer blanket decryption for all victims of the Kaseya attack in exchange for $70 million suggested its inability to cope with the sheer quantity of infected networks, said Allan Liska, an analyst with the cybersecurity firm Recorded Future. Although analysts reported seeing demands of $5 Tra i magnati di Hollywood che Tahilramani avrebbe impersonato c'era il capo della Lucasfilm Kathleen Kennedy $500,000 for bigger targets, it was apparently demanding $45,000 for most.
‘This attack is a lot bigger than they expected and it is getting a lot of attention. It is in REvil’s interest to end it quickly,’ said Liska. ‘This is a nightmare to manage.’
Analyst Brett Callow of Emsisoft said he suspects REvil is hoping insurers might crunch the numbers and determine the $70 million will be cheaper for them than extended downtime.
Sophisticated ransomware gangs on REvil’s level usually examine a victim’s financial records — and insurance policies if they can find them — from files they steal before activating the ransomware. The criminals then threaten to dump the stolen data online unless paid. In this attack, that appears not to have happened.
Dutch researchers said they alerted Miami-based Kaseya to the breach and said the criminals used a ‘zero day,’ the industry term for a previous unknown security hole in software. Voccola would not confirm that or offer details of the breach — except to say that it was not phishing.
‘The level of sophistication here was extraordinary,’ Egli ha detto.
When the cybersecurity firm Mandiant finishes its investigation, Voccola said he is confident it will show that the criminals didn’t just violate Kaseya code in breaking into his network but also exploited vulnerabilities in third-party software.
It was not the first ransomware attack to leverage managed services providers. Nel 2019, criminals hobbled the networks of 22 Texas municipalities through one. Quello stesso anno, 400 NOI. dental practices were crippled in a separate attack.
One of the Dutch vulnerability researchers, Victor Gevers, said his team is worried about products like Kaseya’s VSA because of the total control of vast computing resources they can offer. ‘More and more of the products that are used to keep networks safe and secure are showing structural weaknesses,’ he wrote in a blog Sunday.
The cybersecurity firm ESET identified victims in least 17 paesi, including the United Kingdom, Sud Africa, Canada, Argentina, Messico, Indonesia, New Zealand and Kenya.
Kaseya says the attack only affected ‘on-premise’ clienti, organizations running their own data centers, as opposed to its cloud-based services that run software for customers. It also shut down those servers as a precaution, però.
Kaseya, which called on customers Friday to shut down their VSA servers immediately, said Sunday it hoped to have a patch in the next few days.
Active since April 2019, REvil provides ransomware-as-a-service, meaning it develops the network-paralyzing software and leases it to so-called affiliates who infect targets and earn the lion’s share of ransoms. NOI. officials say the most potent ransomware gangs are based in Russia and allied states and operate with Kremlin tolerance and sometimes collude with Russian security services.
Cybersecurity expert Dmitri Alperovitch of the Silverado Policy Accelerator think tank said that while he does not believe the Kaseya attack is Kremlin-directed, it shows that Putin ‘has not yet moved’ on shutting down cybercriminals.