Kaseya ransomware attackers demand $70 million, claim they infected over a million devices

Three days after ransomware attackers started the holiday weekend by compromising Kaseya VSA, we have a clearer idea of how widespread the impact has been. In a new ransom demand, the attackers claim to have compromised more than 1 million computers, and demand $70 million to decrypt the affected devices.

Kaseya’s software is used by Managed Service Providers to perform IT tasks remotely, but on July 2nd, the Russia-linked REvil ransomware group deployed a malicious software update exposing providers who use the platform, and their clients.

The Dutch Institute for Vulnerability Disclosure (DIVD) revealed that it appears the exploit used for the breach was same one they discovered and were in the process of addressing when the attackers struck. “We were already running a broad investigation into backup and system administration tooling and their vulnerabilities,” DIVD wrote. “One of the products we have been investigating is Kaseya VSA. We discovered severe vulnerabilities in Kaseya VSA and reported them to Kaseya, with whom we have been in regular contact since then.”

On Friday, Kaseya CEO Fred Vocolla said that “Only a very small percentage of our customers were affected – currently estimated at fewer than 40 worldwide.” Sophos VP Ross McKerchar said in a statement Sunday that “This is one of the farthest reaching criminal ransomware attacks that Sophos has ever seen. At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company.”

Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger followed up on earlier comments by President Biden, saying “The FBI and CISA will reach out to identified victims to provide assistance based upon an assessment of national risk.”

Huntress Labs is participating in the response to the attack and has cataloged most of the available information, saying the attack compromised over 1,000 businesses that it’s tracking.

REvil ransom demand
Sophos

Sophos, Huntress and others pointed to this post (above) on REvil’s “Happy Blog,” claiming that more than a million devices have been infected and setting a ransom demand of $70 million in Bitcoin to unlock all of them. REvil has been linked to a slew of ransomware incidents, including one attack involving Kaseya in June 2019, and a high-profile incident earlier this year targeting the meat supplier JBS. However, security researcher Marcus Hutchins expressed skepticism about the group’s claim, suggesting they’re overstating the impact in hopes of extracting a large payout from Kaseya or someone else

So far, once of the companies most noticeably impacted by the attack is Coop, a line of over 800 grocery stores in Sweden that closed Saturday as the attack shut down its cash registers. According to a note on its website, stores where customers can shop using Coop’s Scan & Pay mobile app have reopened, while other locations remain closed. Experts have predicted that on Tuesday when workers return to offices in the US, there may be more victims discovered.

Three days after the attack, Kaseya’s SaaS cloud servers remain offline. The company says it will provide an updated timeline for server restoration this evening, as well as more technical details of the attack to help recovery efforts by customers and security researchers.