Fallout Continues From Biggest Global Ransomware Attack – NBC 5 Dallas-Fort Worth

The largest ransomware attack to date continued on Monday as more details emerged on how a gang affiliated with Russia broke through the exploited software company. Essentially, the criminals used a malware protection tool to spread it around the world.

Thousands of organizations – mostly firms that remotely manage the IT infrastructure of others – were infected in at least 17 countries in Friday’s attack. Kaseya, whose product has been exploited, said Monday that including several are returning to work.

With the infamous REvil gang attacked just at the beginning of a long July 4th weekend, many more victims should know their fate when they return to the office on Tuesday.

REvil is best known for extorting $ 11 million from meat processor JBS last month. Security researchers said its ability to bypass anti-malware protections in this attack, and its apparent exploitation of a previously unknown vulnerability on Kaseya servers, reflects the growing financial strength of REvil and several dozen other top ransomware gangs whose success is helping them to afford the best digital burglary goods. Such criminals infiltrate networks and cripple them by encrypting data and blackmailing their victims.

REvil requested withdrawals of $ 5 million from the so-called managed service providers, who were the main downstream targets in this attack, and apparently requested much less – only $ 45,000 – from their affected customers.

But late on Sunday, on its dark website, it offered to provide a universal decryptor that would decrypt all affected machines if it paid $ 70 million in cryptocurrency. Some researchers thought the offer was a public relations gag, while others thought it suggests the criminals have more victims than they can handle.

Sweden is perhaps the hardest hit – or at least the most transparent about the damage. Its defense minister, Peter Hultqvist, complained in a TV interview about “how fragile the system is when it comes to IT security”. Most of the 800 shops of the Swedish grocery chain Coop were closed for a third day, their coffers paralyzed, a Swedish pharmacy chain, petrol station chain, the state railway and the public broadcaster SVT were also affected.

A wide range of businesses and government agencies have been affected, including financial services and travel, but few large companies have been affected, cybersecurity firm Sophos said. The United Kingdom, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand and Kenya were among the affected countries, researchers said.

In a statement on Sunday, US Deputy Security Advisor Anne Neuberger urged all victims to alert the FBI. The day before, the FBI issued a warning that the scale of the attack “could mean that we are unable to respond to each victim individually.”

The vast majority of ransomware victims do not publicly admit it, and many avoid reporting or disclosing attacks to law enforcement when paying ransom unless required by law.

President Joe Biden said Saturday that he had ordered US intelligence to take a “deep dive” into the attack and that the US would react if it discovered the Kremlin was involved. In Geneva last month, Biden tried to pressure Russian President Vladimir Putin to end the safe haven for REvil and other ransomware gangs that operate with impunity in Russia and allied states as long as they avoid domestic targets. The extortionate attacks by the syndicates have intensified over the past year.

Putin spokesman Dmitri Peskov was asked on Monday whether Russia was aware of the attack or had investigated it. He said no but suggested that this could be discussed during the US-Russian consultations on cybersecurity issues. No date has been set for such consultations, and few analysts expect the Kremlin to tackle a crime wave that will benefit Putin’s strategic goals to destabilize the West.

Kaseya said Monday that fewer than 70 of its 37,000 customers were affected, even though most were managed service providers with multiple downstream customers. Most managed service providers knew if they were hit by Monday, but that may not be the case for many of the small and medium-sized businesses they serve, said Ross McKerchar, chief information security officer at Sophos. The MSPs are flying blind because the attack turned off the software tool they use to monitor customer networks.

The hacked Kaseya tool, VSA, remotely manages customer networks and automates security and other software updates.

In a report on Monday’s attack, Sophos said a VSA server was breached with the apparent use of a “zero day,” the industry term for a previously unknown software vulnerability. Like other cybersecurity companies, it accused Kaseya of helping the attackers by asking customers not to monitor their local “working” folders for malware. In these folders, REvil’s code could work undetected to disable Microsoft’s Defender program’s malware and ransomware flagging tools.

Sophos said REvil made no attempt to steal data in this attack. Ransomware gangs usually do this before activating ransomware so they can threaten to dispose of it online unless they’re paid to do it. This attack was apparently all bare bones, with only encrypted data.

In a Sunday interview, Kaseya CEO Fred Voccola refused to confirm the use of a zero-day or give details of the breach – other than that it wasn’t phishing and he was confident that once an investigation by the cybersecurity firm was over, it would show that Not only Kaseya but also third-party software was breached by the attackers.

___

Associated press reporters Jim Heintz in Moscow and Jan Olsen in Stockholm contributed to this report.

[ad_1]