Companies in 17 countries, including South Africa, the UK, Canada, Argentina, Mexico and Spain, have been struck by a mass ransomware attack exploiting multiple previously unknown vulnerabilities in IT management software made by Kaseya, an American software company that develops software for managing networks, systems, and information technology infrastructure.
REvil – The Alleged Threat Actors
Cybersecurity researchers are claiming that the attacker is a Russia-based hacking group who call themselves REvil. They are also known as “the Sodinokibi ransomware gang”, according to global cybersecurity and digital privacy firm, Kaspersky.
The group has demanded a ransom of $70-million to be paid in Bitcoin.
Kaspersky claims that it has identified some threats from REvil’s hack within its malware detection products. They list the following names:
- PDM:Trojan.Win32.Generic (with Kaspersky’s Behavior Detection)
“Win32” is Microsoft’s API. Without it, you cannot run applications on Windows computers, basically rendering your computer useless. It also seems the ransomware was transferred via trojan horses.
A Previously Unknown Flaw
According to Bloomberg via News24, investigations from Stockholm-based TrueSec found that the hacker group targetted multiple victims in Sweden opportunistically. The hackers used a previously unknown flaw found in Kaseya’s code. This flaw was used to get the ransomware to servers that used Kaseya’s software and were connected to the internet.
The company, however, has said that fewer than 40 customers were impacted by the attack and that its cloud-based services weren’t impacted. Customers of Kaseya included companies that provide remote IT support and, ironically, cybersecurity services for SMBs (small to medium businesses).
Frank Breedijk, head of the Dutch Institute’s computer security incident response team, has said that the hackers implicated in the attacks were of a “high skill level” for being able to exploit the Kaseya software in the manner that they did.
“The big point behind this is someone was willing, determined and had the resources to build this attack chain, and it’s not a trivial chain to build,” he said in an interview.
“You have to know what you’re doing to make an attack like this work.”
$70-Million for Ransom
REvil has since allegedly demanded $70 million in Bitcoin for a universal decryptor, said two cybersecurity experts who reviewed an announcement on the group’s website. The universal decryptor would be used by the victims to decrypt all the data that is being held for ransom.
Ross McKerchar, VP and CISO at Sophos, a cybersecurity firm, said that the ransomware hack was “one of the farthest-reaching criminal ransomware attacks Sophos has ever seen.”
“At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations,” he said in a statement.
“We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company.”