Hundreds of businesses hostage to REvil ransomware

© iStock.

As many as 1,500 companies globally were infected by a highly destructive malware that first struck Florida-based software maker Kaseya. The attack took place Friday last week, leading up to the three-day Independence Day weekend in the United States. Hackers affiliated with REvil, a ruthless gang that produces sophisticated ransomware, exploited a zero-day vulnerability in the Kaseya VSA remote management service, which the company claims services 35,000 customers. The hackers then used their control of Kaseya’s infrastructure to distribute a malicious software update to customers, who are mostly small and medium-sized businesses. The hackers demand a US$ 70 million ransom in bitcoin to provide a decryption tool that could help victims recover from the attack.

The massive attack had repercussions felt around the world. Several examples include schools in New Zealand and some public administration offices in Romania. The Swedish supermarket chain Coop had to close hundreds of stores because its cash registers had stopped working. (These are handled by Visma Esscom, a Swedish IT company that manages servers for a number of other Swedish companies and that uses Kaseya’s software.) The REvil group, which presumably operates out of Eastern Europe or Russia, is one of the most notorious providers of “ransomware as a service”, meaning that it gives other groups the tools to carry out ransomware-based attacks and takes a percentage of the profits. It also launches its own attacks. REvil is behind several other recent and high-profile attacks: it hit meat-producer JBS Foods last month, Apple supplier Quanta Computer in April, and electronics maker Acer in March.

⇨ Ars Technica, Dan Goodin, “Up to 1,500 businesses infected in one of the worst ransomware attacks ever.”

2021-07-06