The gang behind a huge ransomware attack have demanded $70m to be paid in Bitcoin in return for a ‘universal decryptor’ that will unlock the files of all the victims, the BBC reports. The gang call themselves the REvil group, and claim the ransomware attack has hit one million IT systems. However, this number has not been verified.
What is known is that US IT firm Kaseya have been hit, along with two Dutch IT firms, 500 Swedish Coop supermarkets, and 11 schools in New Zealand. Because Kayesa provide outsourced software services, it is thought that the spread of the malware may be much greater than is currently apparent.
Kaseya made the following statement on their website in regard to the attack:
“The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution. This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints. There is no evidence that Kaseya’s VSA codebase has been maliciously modified.”
Prof Ciaran Martin, founder of the National Cyber Security Centre, told the BBC that the attack was sophisticated, but also rare in its scale. It is believed that most of REvil’s members are based in Russia or countries that were formerly part of the Soviet Union.
Prof Martin said that Russia has become a safe environment for ransomware criminals, but also criticised the West for making it too easy for the gangs to obtain payment. He was also surprised that REvil requested the payment should be made in Bitcoin, when there are many harder to trace cryptocurrencies available.
One of the most common currencies demanded by ransomware attackers is Monero, but Tom Robinson, the founder and chief scientist of Elliptic, a firm specialising in the analysis of bitcoin payments, said that purchasing $70m of Monero would be difficult for practical and regulatory reasons.
Cyber security firms have been making a huge global effort to combat the menace of ransomware attacks, which has been steadily growing over the past few years, and is thought to have been exacerbated by the pandemic, as there was a sharp increase in remote communications.
Meanwhile, Keseya have issued a warning that spammers are exploiting the news about the malware attack to send out fake email notifications, known as phishing emails. The emails contain malicious links or attachments, that once opened, can covertly install software which can hack into stored computer files, or spy on confidential data.
The BBC reports that the recent attack was made possible by a ‘secret digital doorway’ in the Kayesa system, which was exploited by the gang. The doorway had already been discovered by the Dutch Institute for Vulnerability Disclosure, who were working on the problem when the attackers struck.
The level of knowledge, skill and sophistication needed by the REvil gang to carry out their latest cyberattack is alarming, and highlights the ever-growing race between cyber security experts and the criminals of the new ‘Wild West’.
If you need web application penetration testing, please get in touch today to see how we can help.