REvil hits thousands in largest-ever ransomware attack

The group claims to have locked more than a million individual devices and is reportedly demanding $70m (€59m) in bitcoin to set them free through a universal decryptor.

According to cyber security company Kaspersky more than 5,000 attack attempts in 22 countries have been observed so far and the number of encrypted businesses could run into thousands.

The Russia-connected REvil gang struck on 2 July by compromising Kaseya, a US software provider which helps companies manage basic software updates. Since many of its customers are managed software providers (MSPs) which handle internet services for other businesses, the number of victims grew quickly.

Instead of employing the usual method locking an individual organisation, REvil this time locked each target’s computer as a standalone target and initially asked $45,000 to unlock each specific one.

According to media reports, victims include Swedish grocery chain Coop which was forced to close most of its around 800 stores on 3 July because its cash tills are controlled online by Visma Esscom, a Kaseya customer. They were locked up and rendered unusable. Eleven schools in New Zealand and two Dutch IT firms have also been hit.

United States’ President Joe Biden has directed the government’s full resources to investigate the attack.

REvil’s claim to have compromised more than a million devices is impossible to prove given no government or company has a database of everyone who was hit, US broadcaster NBC pointed out.

Kaseya CEO Fred Voccola was reported by the Associated Press as saying the number of victims would probably be in the low thousands, made up of small organisations such as dental practices and libraries.

In its latest update on the incident, the Miami-headquartered company said: “Due to our teams’ fast response, we believe that this [cyber-attack] has been localised to a very small number of on-premises customers only.

“Our security, support, research and development, communications and customer teams continue to work around the clock in all geographies to resolve the issue and restore our customers to service.”

Kaseya is currently aware of fewer than 60 customers directly compromised by the attack. They were all using the VSA on-premises product.

“While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses. We have not found evidence that any of our Software-as-a-Service customers were compromised.”

The advice Kaseya is giving clients includes: “Customers who experienced ransomware and receive communication from the attackers should not click on any links – they may be weaponised.”