Staff enter the headquarters of information technology firm Kaseya in Miami.
Suspected Russian-speaking cybercriminals behind what may be the largest ransomware attack to date have demanded $70 million in Bitcoin in exchange for a decryption tool as companies and security experts continued to assess the extent of damage.
Cybersecurity experts believe thousands of victims in at least 17 countries may be impacted by the attack on U.S.-based firm Kaseya, which provides information-technology (IT) services to some 40,000 businesses around the world.
Fred Voccola, CEO of Kaseya, said only about 50-60 of the company’s customers were compromised. However, 70 percent were so-called managed service providers who use the company’s hacked VSA software to manage multiple customers.
That means thousands of small and medium-sized businesses could be impacted, Voccola said in an interview with the Associated Press. Voccola declined to offer details of the breach except to say that it was not phishing and that "the level of sophistication here was extraordinary."
Cybersecurity experts say the REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack and it was no coincidence that it was launched at the start of the U.S. Independence Day holiday weekend. Many victims may not find out they have been hit until they reopen on July 5 or 6.
The FBI and the U.S. Cybersecurity and Infrastructure Security Agency are investigating and have asked companies to report the incidents but warned that "the scale of this incident may make it so that we are unable to respond to each victim individually."
President Joe Biden has directed U.S. intelligence agencies to investigate, and Anne Neuberger, White House deputy national-security adviser for cyber and emerging technology, said in a statement that the FBI and the Department of Homeland Security "will reach out to identified victims to provide assistance based upon an assessment of national risk."
One of the companies affected is the Swedish grocery chain Coop. It was forced to close most of its 800 stores because the attack crippled its cash register software. A Swedish pharmacy chain, gas station chain, the state railway, and public broadcaster SVT were also hit.
In the case of Coop, it was impacted because its IT subcontractor is linked to Kaseya.
Germany’s federal cybersecurity watchdog said an unidentified IT service provider that looks after several thousand customers had been hit. Two big Dutch IT services companies also were among the targets.
Ransomware attacks are carried out by hackers who break into networks and spread malicious computer code used to encrypt a victim’s digital data. The data are unusable until the targeted company pays the ransom.
A post on Happy Blog, a site on the dark web previously associated with REvil, claimed responsibility for the attack and said it had infected "more than a million systems," a claim that couldn’t be verified.
The hackers said they would release a decryption to allow companies to recover from the attack only if they were given $70 million in Bitcoin.
The FBI believes that REvil was behind a ransomware attack in May on meat-processing giant JBS. The Brazil-based company ended up paying $11 million in Bitcoin to the hackers.
Another high-profile ransomware attack in May targeted Colonial Pipeline, which temporarily closed the largest U.S. gas pipeline. U.S. law enforcement authorities said they recovered most of the ransom paid to another criminal group, DarkSide, in the pipeline case.
In June, Biden pressed Russian President Vladimir Putin during their summit in Geneva about ransomware gangs allegedly operating with impunity in Russia. Biden said he also told Putin that the United States would respond if an investigation determines that the Russian government is behind an attack.
With reporting by AP, AFP, and Reuters