Hackers suspected of being behind a massive ransomware attack that has affected hundreds of companies around the world have demanded $ 70 million to restore the data, according to a message posted on a dark website.
The lawsuit was filed Sunday night on a site commonly used by cybercrime band REvil, a Russia-linked group that is among the world’s most prolific extortionists in cybercrime.
The gang has an affiliation structure, making it difficult to occasionally determine who speaks on behalf of hackers, but Allan Liska of cybersecurity company Recorded Future said the “almost certain” message came from REvil’s core leadership. .
The group has not responded to an attempt by Reuters to reach out for comment.
REvil’s ransomware attack, which the group executed on Friday, was one of the most dramatic of a series of increasingly captivating hackers.
The gang broke into Kaseya, an information technology company based in Miami, and used its access to breach some of its customers’ customers, causing a chain reaction that quickly paralyzed the computers of hundreds of companies. from all over the world.
Cybersecurity experts quickly blamed the attack on REvil. Sunday’s statement was the first public recognition of the group behind it.
A Kaseya executive said the company was aware of the ransom demand, but did not immediately return further messages for comment.
Liska said she believed the hackers had bitten more than they could chew.
“For all his great talks on his blog, I think this has gotten out of hand and is much bigger than they expected,” he said.
“Way out of hand”
The ransomware attack, one of the largest in history, spread around the world on Saturday. In one case of its effect, it forced the Swedish grocery store chain Coop to close its 800 stores because it could not operate with its cash registers.
The attack hijacked Kaseya’s VSA desktop management tool and triggered a malicious update that infected technology management vendors serving thousands of businesses.
Security firm Huntress Labs, one of the first to give the alarm of the wave of infections to suppliers’ customers, said Saturday that thousands of small businesses could have been affected.
Miami-based Kaseya said he worked with the FBI and that only about 40 of his clients were directly affected. He did not comment on how many of these were vendors who in turn spread the malware to others.
In a statement Saturday afternoon, the FBI said it was investigating in coordination with the U.S. Cybersecurity and Infrastructure Agency.
“We encourage everyone who may be affected to use the recommended mitigations and for users to follow Kaseya’s guidelines for shutting down VSA servers immediately,” the agency said.
The affected companies had encrypted files and left emails asking for ransom payments of thousands or millions of dollars.
‘Tip of the iceberg’
Some experts said the timing of the attack, the Friday before a long holiday weekend in the US, was aimed at spreading it as quickly as possible while employees were out of the workplace.
“What we’re seeing now in terms of casualties is probably just the tip of the iceberg,” said Adam Meyers, senior vice president of security company CrowdStrike.
President Joe Biden said Saturday that he led U.S. intelligence agencies to investigate who was behind the attack.
According to Coop, one of Sweden’s largest grocery chains, the attack affected a tool that was used to remotely update their boxes, so no payments could be made.
“We’ve been troubleshooting and restauranting all night, but we’ve announced that we’ll have to keep the shops closed today,” co-operative spokeswoman Therese Knapp told Swedish television.
Swedish news agency TT said Kaseya technology was used by Swedish company Visma Esscom, which manages servers and devices for several Swedish companies.
State rail services and a chain of pharmacies also suffered disruptions.
“They have been affected to varying degrees,” Fabian Mogren, executive director of Visma Esscom, told TT.
Defense Minister Peter Hultqvist told Swedish television that the attack was “very dangerous” and showed how companies and state agencies needed to improve their preparedness.
“In a different geopolitical situation, it can be government actors who attack us in this way to shut down society and create chaos,” he said.