1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

Hackers want $70 million for Kaseya decryption

July 5, 2021

The Russian-linked REvil ransomware group is alleged to have carried out an attack that affected hundreds of companies worldwide. Joe Biden says the US will respond if the Kremlin is involved.

REvil Cyberangriff | Schweden Stockholm 2019 | Coop-Filiale
Swedish supermarket chain Coop was among the companies hit by the cyberattackImage: Alexander Farnsworth/picture alliance

The hackers behind a huge ransomware attack said late Sunday on their blog that they want $70 million (€59 million) in Bitcoin to publicly release what they are calling a "universal decryptor."

The firm Kaseya, which helps firms remotely manage their IT infrastructure, was hit Friday in an attack believed to have been carried out by Russian-linked cybercrime gang REvil. The attack infected hundreds of companies in at least 17 countries.

The group is best known for the recent attack on JBS meat processing. In that instance, REvil was able to extort $11 million from the firm in a ransomware payment.

On Saturday, US President Joe Biden said there would be a response if investigations determined the Kremlin was linked in any way.

Which companies were hit in this latest ransomware attack?

The Miami-based firm Kaseya said a broad array of small businesses — including in financial services, travel and leisure, and public agencies on all continents — were hit in this latest ransomware attack.

In Sweden, the grocery chain Coop said the vast majority of its 800 stores were closed on Sunday for a second day because their cash register software supplier was down. A pharmacy chain, a gas station chain, the state railway and the public broadcaster SVT were also compromised.

The Swedish grocery chain Coop reported the software used to run its registers was breached in the ransomware attack
The Swedish grocery chain Coop reported the software used to run its registers was breached in the ransomware attackImage: Jonas Ekströmer/TT NYHETSBYRON/picture alliance

In Germany, the news agency dpa reported that an unnamed IT services company believed several thousand of its customers were hit by this ransomware attack. Two big Dutch IT firms, VelzArt and Hoppenbrouwer Techniek, also reported problems. 

CEO Fred Voccola of Kaseya said he believes the number of victims is in the low thousands, noting that it was mostly small businesses like "dental practices, architecture firms, plastic surgery centers, libraries, things like that.''

Voccola added that only between 50 to 60 of the company's 37,000 customers were compromised by REvil. Kaseya has hired cybersecurity firm Mandiant to investigate the breach.

While the CEO would not confirm details of the hack, Voccola did say the attack was not based on phishing and that the level of sophistication "was extraordinary."

Of the systems that were attacked, 70% were managed service providers who used Kaseya's VSA software to manage multiple customers. That software automates the installation of security updates, and manages backups and other essential functions.

At present, Kaseya believes REvil did not just breach its code, but likely exploited vulnerabilities in third-party software.

Russian cyberespionage comes to Germany

What are the reactions to this latest ransomware attack?

The FBI said in a statement that it is investigating, but the scale of the cyberattack "may make it so that we are unable to respond to each victim individually.''

US Deputy National Security Advisor Anne Neuberger said Biden had "directed the full resources of the government to investigate this incident'' and urged anyone who believes their systems were compromised to contact the FBI.

Cybersecurity expert Dmitri Alperovitch of the Silverado Policy Accelerator think tank said he does not believe there is likely to be Kremlin involvement; but rather, the attack indicates Russian authorities "have not yet moved" on shutting down ransomware gangs operating on Russian soil.

The most serious of ransomware gangs operate from within Russia or aligned states. They are tolerated by the Russian authorities and sometimes work with the security services.

ar/rt (AP, Reuters)