One of the largest mass ransomware attacks ever has compromised up to 1,500 businesses, according to a Tuesday update from the Florida IT company Kaseya, which the hackers used to spread their malicious software.
The self-proclaimed culprit of the Friday outbreak, the Russia-based ransomware gang REvil, is seeking $70 million in cryptocurrency collectively from what it says are actually more than 1 million victims to unlock affected systems, reportedly ranging from Swedish supermarket chains to New Zealand kindergartens that were closed or knocked offline.
It’s the latest of three recent huge ransomware incidents to draw White House attention, with President Joe Biden over the weekend directing “the full resources of the government to investigate this incident,” according to a statement by Deputy National Security Adviser for Cyber and Emerging Technology Anne Neuberger.
Unlike the last two major incidents that affected single victims in fuel transporter Colonial Pipeline and meat supplier JBS, the Kaseya-filtered attack is more globally disbursed, comparable as a ransomware incident only to the 2017 WannaCry cryptoworm that infected hundreds of thousands of computers.
Kaseya offers its VSA platform to managed service providers (MSPs) to whom other companies outsource IT functions. The company said only 50 of its 35,000 customers have been breached, but given the reach of its MSP customers, 50 victims can quickly multiply into many, many more. That also renders the attack as a particularly damaging supply chain incident, following the 2020 breach at federal contractor SolarWinds, which led to woes at U.S. federal agencies and large companies.
The company shut down the software over the holiday weekend. It also released detection tools. It said its customers don’t include critical infrastructure firms.
“Our global teams are working around the clock to get our customers back up and running,” said Kaseya CEO Fred Voccola in a statement. “We understand that every second they are shut down, it impacts their livelihood, which is why we’re working feverishly to get this resolved.”
Researchers at the Dutch Institute for Vulnerability Disclosure said the Kaseya attackers exploited previously-unknown zero-day vulnerabilities that the company was in the midst of patching when the outbreak began.
Originally the culprits demanded ransoms ranging from approximately $50,000 to $5 million. They might have been too successful in their attack, however, as security researcher Jack Cable said, that for a time REvil was “no longer allowing new infections to pay ransom.”
The Kremlin said on Monday that it had not heard from the U.S. about the incident. The Biden administration has criticized Russia for harboring accused cybercriminals.