The group behind the crippling supply chain ransomware attack on a US software company has reportedly demanded $70 million in return for a ‘universal’ decryption key, as researchers claim there could be thousands of global victims.
It’s believed that the REvil strain was used to compromise Kaseya’s VSA IT management software, although which ransomware affiliate is unknown.
However, as reported by the BBC, there has been surprise at the group’s request that the money be paid in Bitcoin, which is an easier to trace cryptocurrency than Monero.
In fact, individual ransom requests with affected organizations are apparently still being made in Monero, but the latest $70 million demand for a decryptor for all victims was issued in Bitcoin.
It’s unclear how many organizations are affected. The original estimate from Kaseya of “fewer than 40” was yesterday revised upwards to “fewer than 60.”
Many of these are managed service providers (MSPs) whose customers were affected. The software maker estimates around 1,500 downstream organizations of this sort were impacted — all of whom run its on-premises product.
Among these unlucky organizations are 500 Coop supermarkets in Sweden, 11 schools in New Zealand and two Dutch IT firms.
A report from Kaspersky yesterday claimed as many as 5000 attack attempts had been made in 22 countries since July 2.
The attack’s impact may have been exacerbated as it was timed to coincide with the July 4 holiday weekend in the US, meaning many IT security professionals were off duty.
However, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) jointly released guidance for affected MSPs and their customers.
For the former, the advice included downloading Kaseya’s VSA Detection Tool, which is designed to scan systems for any indicators of compromise (IoCs).
Christos Betsios, cyber operations officer at Obrela, pointed out that REvil predecessor Gandcrab compromised Kaseya in the past to infect MSPs and their customers.
“The key is always to be prepared for the worst-case scenario, even if proper patch management and vulnerability management programs are in place, we are not secure anymore,” he added. “Attackers will continue to try to compromise big software vendors and distribute their malicious code via them.”