The REvil hacker group is suspected to have carried out the largest ransomware attack on record over the Fourth of July weekend. The attack targeted organizations across 17 countries and the group is demanding $70 million for a universal decryptor key.
The ransomware attack is suspected to have started on Friday, July 2nd with the knowledge that many domestic organizations would be closed or light staffed with the holiday weekend. A post on the dark web site Happy Blog, a forum REvil traditionally uses to communicate their actions and demands, stated that the initial attack impacted more than 200 U.S. managed service providers, infecting more than one million systems.
The primary target of the attack were managed service providers which once breached causes a domino effect through their client base. Florida-based IT service provider, Kaseya, was one of the first targets due the large percentage of managed service providers in their VSA server database. The attackers knew once they breached Kaseya they would have access to all of their clients. Gartner Analyst Katelle Thielemann gave Kaseya credit for reacting swiftly, but stated that "the reality of this event is it was architected for maximum impact, combining a supply chain attack with a ransomware attack".
The attack impacted organizations of all sizes and industries across the globe according to a report from Sophos. Coop, the popular Swedish grocery store was forced to close more than 800 stores Sunday due to the attack shutting down their cash register software supplier. Several Swedish gas stations and pharmacy chains, as well as state railways and select television stations were also impacted by the attack. The attack also impacted a large German IT services company, as well as two of the largest Dutch IT service companies, Hoppenbrouwer Techniek and VelzArt.
The first reports of the attack stated that individual ransom demands per company ranged from $45,000 to $5 million, but the narrative changed when the ransomware gang offered a pooled ransom request of $70 million for a universal decryptor that would unlock everything. Some industry professionals believe this may be an attempt to play the numbers game where organizations and insurers would prefer to pay a lump sum instead of the complexity of individual payments. There has been no confirmation of payment, but many experts believe the $70 million tag is more of a starting point for a lump sum payout rather than a set in stone amount.
So how did this ransomware attack happen? Right now details are light as usual, but initial reports suggest the attack was a result of a zero day attack that exploited third-party software. The strategy behind this attack is nothing new and the act of targeted managed service providers to gain quick access to their client base will only continue to grow in popularity. This type of supply-chain attack typically targets widely used software providers which helps spread the malware automatically.
The thought process is simple and other criminals think the same way – why would a car jacker take the time to break into several cars in a parking lot when he could just break into a valet station and grab them all at once? This strategy was used in the August 2019 ransomware attacks on more than 20 Texas municipalities and the large scale U.S. dental practice attack the same year.
The White House stated that they had reached out to victims of this attack and the FBI is involved, but there has been no confirmation if Russia was directly involved. In an updated report, a cybersecurity firm claims that the computer code was written to avoid systems that primarily used Russian or related languages.
Cybersecurity incidents, specifically ransomware attacks, continue to dominate the headlines and have become a larger political issue following the Colonial Pipeline and JBS Foods attack. The federal government is becoming increasingly involved as cybers-attacks have become a growing national security concern. Recent government actions include an Executive Order targeting cybersecurity and pending legislation establishing federal cyber breach disclosure standards.
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.