Hackers demand $70m after Kaseya attack

Hackers were demanding $70 million in bitcoin in exchange for data stolen during an attack on a US IT company that has shuttered hundreds of Swedish supermarkets. Researchers believe more than 1,000 companies could have been affected by the attack on Miami-based firm Kaseya, which provides IT services to some 40,000 businesses around the world.

The FBI warned Sunday that the scale of the “ransomware” attack — a form of digital hostage-taking where hackers encrypt victims’ data and then demand money for restored access — is so large that it may be “unable to respond to each victim individually”. Sweden’s Coop supermarket chain was among the most high-profile victims, with “a majority” of their 800 stores still closed three days after the hack paralysed its cash registers, spokesman Kevin Bell told AFP.

Coop is not a direct customer of Kaseya’s, but its IT subcontractor Visma Esscom was hit by the attack. Bell stressed that the situation was looking “positive compared to a few days ago”, but the few hundred stores that have reopened were relying on alternative payment solutions, such as customers paying using their smartphones.

Experts believe the attack was probably carried out by REvil, a Russian-speaking hacking group known as a prolific perpetrator of ransomware attacks. A post on Happy Blog, a site on the dark web previously associated with the group, claimed responsibility for the attack and said it had infected “more than a million systems”.

The FBI believes that REvil, which also goes by the name Sodinokibi, was behind a ransomware attack last month on global meat-processing giant JBS, which ended up paying $11 million in bitcoin to the hackers. The blog post claiming responsibility for the Kaseya attack said the hackers would post a decryption tool online “so everyone will be able to recover from attack in less than an hour” — if they were handed $70 million in bitcoin.

Kaseya describes itself as a leading provider of IT and security management services to small and medium-sized businesses. The company said Sunday that it believed the damage had been restricted to a “very small number” of customers using its signature VSA software, which lets companies manage networks of computers and printers from a single point.

But cybersecurity firm Huntress Labs said in a Reddit forum that it was working with partners targeted in the attack, and that the software was manipulated “to encrypt more than 1,000 companies”. Kaseya said it had “immediately shut down” its servers after detecting the attack on Friday and warned its VSA customers to do the same, “to prevent them from being compromised.” The company has released a tool allowing its customers to find out whether their own computer systems have been compromised by the attack.

Kevin Reed, CISO at Acronis comments “Far as we’re aware, REvil’s systems involve a high degree of automation – humans are only involved if a victim wants to negotiate a price. So, they may not really need to scale to cover the “long tail” of $45,000 ransoms. Victim pays to a predefined Bitcoin wallet, they detect the payment and release the decryption key for the victim – no human involved at this stage. I think the offer of a universal decryptor is a PR stunt. If they indeed encrypted one million systems, assuming 1,000 systems per victim, it’s in the range of 1,000 victims – which correlates with some of the earlier findings reported. With an average of $45,000 per victim – was their standard fee in this case – that makes up $45 million. Yes, some victims were individually targeted and had higher ransoms, but I doubt the total target reached $70 million. Also, those individually targeted victims will be handled by humans anyway and their numbers seem not large enough at this point to impose the REvil scale-out problem.”