On July 2, 2021, a REvil / Sodinokibi user exploited several vulnerabilities in the Kaseya VSA product to distribute a ransomware encryptor to connected endpoints. It is the highest ransom demand in history. A comment from Charles Carmakal, SVP and CTO, Mandiant.
Kaseya VSA is a remote monitoring and management solution used by managed service providers (MSPs) and enterprises to remotely manage computer systems. The number of organizations affected by the REvil ransomware outage is currently unknown, but Kaseya estimates the number of cases is below 1.500. Many of the businesses affected are very small, family-run businesses that were late to learn of the effects due to the U.S. holiday weekend.
REvil Ransomware as a Service (RaaS)
REvil Ransomware-as-a-Service (RaaS) has been advertised in Russian-language underground forums since May 2019. In the RaaS business model, a central group develops the ransomware, communicates with the victims and operates the backend infrastructure. Partners or affiliated groups carry out the attacks and spread the ransomware. The RaaS is operated by the hacker "UNKN" (also known as "Unknown") who does not accept English-speaking partners and does not allow the partners to attack CIS countries, including Ukraine. The known users are Russian-speaking, but it is likely that some of those involved are not physically located in Russia. Following the Colonial Pipeline attack, UNKN made efforts to narrow down the targets of REvil users and insisted on verifying the targets before distributing the ransomware.
REvil demands $ 70 million ransom
Charles Carmakal, SVP and CTO, Mandiant (Image: FireEye)
REvil took responsibility for the attack on the evening of July 4th, claiming it hit more than a million systems. They are asking for $ 70 million for a universal decryption key that can be used to unlock any affected system. This exorbitant sum is the highest in history. In private discussions, REvil has proactively lowered its demands. They are also known to exaggerate the scope and impact of their attacks. In addition, REvil has not yet published any data from the infiltrations. A method they often use to coerce their victims into paying. As long as criminals can demand tens of millions of dollars in ransom and no jail sentence, this problem will only get worse. These groups are well funded and highly motivated, and only a determined, collaborative approach will turn the tide.
More at FireEye.com
About Trellix Trellix is a global company redefining the future of cybersecurity. The company's open and native Extended Detection and Response (XDR) platform helps organizations facing today's most advanced threats gain confidence that their operations are protected and resilient. Trellix security experts, along with an extensive partner ecosystem, accelerate technology innovation through machine learning and automation to support over 40.000 business and government customers.