Russia-linked ransomware gang REvil on Sunday claimed responsibility for the recent hack of IT management firm Kaseya, an attack that impacted more than a thousand companies around the world.
In a post to its dark web blog, REvil took credit for the hack and said it will release a universal decryptor to unlock all affected computers for $70 million in Bitcoin, The Record reports. The group invited interested parties to make contact for negotiations.
"On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor - our price is 70 000 000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour. If you are interested in such deal - contact us using victims "readme" file instructions," REvil said in the post.
Intelligence agencies investigating the case believed REvil to be behind the attack, though they lacked confirmation until Sunday. The hacking group previously targeted meat processing company JBS and in April threatened to leak "confidential drawings of personal data with several major brands" after hacking systems owned by Apple supplier Quanta. JBS paid an $11 million ransom to protect its data, while Quanta was at one point in talks to pay out $20 million.
As noted by Gizmodo on Monday, REvil's Kaseya hack last Friday is known as a supply chain ransomware attack, meaning malicious code is inserted into a software vendor's network and subsequently distributed to customers.
REvil is thought to have leveraged an exploit in Kaseya's VSA cloud platform to gain access to customers' VSA appliances, which managed service providers (MSPs) use to provide remote support and software update support to smaller businesses. VSA platforms are also used by larger businesses to manage remote computer fleets.
According to The Record, REvil used the VSA access to deliver a malicious payload that encrypted local files on all connected computers.
In an update on Monday, Kaseya said it knew how the attack occurred and was working to fix the issue. The company instructed all customers to keep VSA servers offline until further notice.
Keep up with everything Apple in the weekly AppleInsider Podcast — and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too. If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.
17 Comments
A few properly place Hellfire missiles from an affected country would bring this type of activity to a stop pretty fast.