Fallout Continues World’s Largest Ransomware Attack As New Details Emerge – .

Fallout Continues World’s Largest Ransomware Attack As New Details Emerge – .

The biggest ransomware attack to date continued to bite on Monday as more details emerged of how a Russian-linked gang entered the exploited software company. Criminals basically used a tool that helps protect against malware to spread it globally.

Thousands of organizations – largely companies that remotely manage other IT infrastructure – were infected in at least 17 countries during Friday’s assault. Kaseya, whose product has been tapped, said Monday there are several who have just returned to work.

Because the attack on the infamous REvil gang came just at the start of a long July 4 weekend, many more victims were expected to learn of their plight when they returned to the office on Tuesday.

The story continues under the ad

REvil is best known for extorting $ 11 million from meat processor JBS last month. Security researchers said its ability to evade anti-malware protections in this attack and its apparent exploitation of an earlier unknown vulnerability on Kaseya servers reflect the growing financial might of REvil and a few dozen other ransomware gangs. whose success helps them afford the best digital burglary. merchandise. These criminals infiltrate networks and cripple them by scrambling data, extorting their victims.

REvil was seeking payments of US $ 5 million from the so-called managed service providers who were its main downstream targets in this attack, apparently demanding far less – just US $ 45,000 -om their distressed customers.

But on Sunday night, he offered on his dark website to make available a universal decryptor that would decrypt all affected machines if he was paid $ 70 million in cryptocurrency. Some researchers viewed the offer as a publicity stunt, while others believed it indicated that the criminals had more victims than they could handle.

Sweden is perhaps the hardest hit – or at least the most transparent about the damage. Its Defense Minister, Peter Hultqvist, said in a television interview “how fragile the system is when it comes to computer security”. Most of the 800 stores of the Swedish grocery chain Coop were closed for a third day as their cash registers were out of order. A Swedish chain of pharmacies, a chain of gas stations, the public railway and the public broadcaster SVT were also affected.

A wide range of businesses and public agencies have been affected, including in financial services and travel, but few large companies have been affected, cybersecurity firm Sophos said. The UK, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand and Kenya are among the affected countries, researchers say.

In a statement released on Sunday, U.S. Deputy National Security Advisor Anne Neuberger urged all victims to alert the FBI. A day earlier, the FBI had said in an alert that the scale of the attack “may mean that we cannot respond to each victim individually.”

The vast majority of ransomware victims are loath to admit it publicly, and many avoid reporting attacks to law enforcement or revealing whether they are paying ransoms unless required by law.

The story continues under the ad

US President Joe Biden said on Saturday he had ordered a “deep dive” by US intelligence services into the attack and that the US would respond if it determined the Kremlin was involved. In Geneva last month, Biden sought to pressure Russian President Vladimir Putin to end the safe haven for REvil and other ransomware gangs that operate with impunity in both Russia and allied states. that they avoid national targets. Trade union extortion attacks have worsened over the past year.

On Monday, Putin’s spokesman Dmitry Peskov was asked whether Russia was aware of the attack or whether it had looked into it. He said no but suggested it could be discussed during the US-Russia consultations on cybersecurity issues. No date has been set for such consultations, and few analysts expect the Kremlin to quell a wave of crime that benefits Mr. Putin’s strategic goals of destabilizing the West.

Kaseya said Monday that fewer than 70 of its 37,000 customers were affected, although most are managed service providers with multiple downstream customers. Most managed service providers were likely to know by Monday if they were affected, but that may not be true for most of the small and medium businesses they serve, said Ross McKerchar, manager. information security at Sophos. MSPs fly blindly because the very software tool they use to monitor customer networks has been knocked out by the attack.

The hacked Kaseya tool, VSA, remotely maintains customer networks, automating security and other software updates.

In a report on the attack on Monday, Sophos said a VSA server was breached with the apparent use of a “zero day,” the industry term for a previously unknown software security flaw. Like other cybersecurity firms, she criticized Kaseya for aiding attackers by asking customers not to monitor her on-site “working” folders for malware. Inside these folders, code from REvil could work undetected to disable Microsoft’s Defender program malware and ransomware reporting tools.

Sophos said REvil made no attempt to steal data in this attack. Ransomware gangs usually do this before activating the ransomware so they can threaten to throw it online unless they get paid. This attack was apparently only bare bones, scrambling only the data.

The story continues under the ad

In an interview on Sunday, Kaseya CEO Fred Voccola did not confirm the use of a day zero or give details of the violation except to say that it was not phishing and that ‘he was convinced that when an investigation by the cybersecurity company was completed, it would show that not only Kaseya, but also third-party software had been breached by attackers.

Be smart with your money. Get the latest investment information delivered straight to your inbox three times a week with the Globe Investor newsletter. Register today.


Please enter your comment!
Please enter your name here