Hackers demand $70m ransom after executing massive Solar Winds-like attack

Lock on Laptop Screen
(Image credit: Future)

The notorious REvil gang has claimed responsibility for the widespread supply chain ransomware attack perpetrated over the weekend, demanding $70 million for unlocking computers all around the world.

In one of the most daring attacks, the ransomware gang managed to break into the infrastructure of Managed Service Provider (MSP) Kaseya, and poison an update for their VSA software to deploy ransomware on Kaseya’s business customers.

While the true impact of the attack is yet to be determined, early estimates by cybersecurity vendor ESET seem to suggest the incident has impacted thousands of firms across a dozen different countries. 

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

>> <a href="https://project.tolunastart.com/tqsruntime/main?surveyData=LFFFsT0HpgsyUe0tTFumBJohXK8Sedt0ARpsCF4DRGR+oCoVbvd+2+d8+UNIIx4L" data-link-merchant="project.tolunastart.com"" target="_blank">Click here to start the survey in a new window <<

“On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70 000 000$ in BTC and we will publish publicly [sic] decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour,” reads the notice posted on REvil blog.

Can’t outsource risk

Coincidentally, around this time last year, the US Secret Service had warned that threat actors were increasingly targeting MSPs, since successfully compromising them could give hackers the keys to the kingdom.

According to security firm Sophos and Kaseya customers who spoke with The Record, the malicious Kaseya update lands on on-premise VSA servers, from where it deploys the ransomware to all connected client systems.

Kaseya is urging all VSA owners to take their systems offline until further notice.

Mark Loman, malware analyst for security firm Sophos, told The Record that companies who have been impacted are seeing ransom notes of between $50,000 and $5 million, depending on the size of the impacted corporate network.

Meanwhile, in an official statement to The Record, Kaseya’s CEO Fred Voccola claims that the attack impacted “only a very small percentage” of their customers, pinning the number of affected customers at “fewer than 40.” 

“MSPs are a high-value target. If an MSP manages a company's security, it's once removed from the company itself, which can mean the actual company is less aware of what is happening. And, as an MSP, you have a ton of data from multiple customers,” Ben Carr, CISO at security company Qualys told TechRadar Pro.

“While you can outsource the work, you can't outsource the risk — almost everyone is susceptible to supply chain attacks,” said Carr.

It isn’t immediately clear if Kaseya is entertaining the idea of paying the ransom, which if honored, would become the highest ransomware payment ever made.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.