Cybercriminals are demanding more than $70 million to end a ransomware attack, one of the largestin history. It appears that the attack is carried out by a group of cyber criminals located in Russia called REvil.
The company that has been affected by this attack is called Kaseya,specifically one of its products, a virtual system/server administrator. The virus is extremely infectious, and of a few servers affected at the start of the attack, it has been increasing as the days have passed.
Kaseya is a managed service provider that has approximately 37,000 customers. It was attacked last weekend when an REvil member gained access to VSA (Virtual Server Administrator) devices installed on clients’ devices. Although not yet confirmed, it is suspected that the attackers used an exploit on the Kaseya VSA server for initial access.
What is the product concerned
The affected product is called VSA. VSA, is a Virtual System/Server Administrator. It is a software package used by Kaseya customers to monitor and manage their infrastructure. It is provided as a cloud service hosted by Kaseya or through on-premises VSA servers.
Such is the seriousness of this matter that even U.S. President Joe Biden reported that U.S. intelligence services are investigating the attack and action would be taken if in the end it is Russia that is responsible for this attack.
The impact of the ransomware attack
Cybersecurity teams are working to stop the impact of the largest global attack on record, and some details emerge about how the gang linked to Russia. They have taken advantage of a software bug, a 0-day.
A group of criminals REvil, best known for extorting meat processor JBS for $11 million after a Memorial Day attack (May 30, celebrated in the United States), infected thousands of victims in at least 17 countries, mostly through companies that remotely manage IT infrastructure for multiple customers, cybersecurity researchers said.
REvil was demanding ransoms of up to $5 million, investigators said. But on Sunday night he offered in a post on his dark website a universal decryption software key that would decrypt all affected machines in exchange for $70 million in cryptocurrencies.
Initiation of the attack
The company became aware of the attack on July 2, 2021 and reported that same day that they were investigating a potential attack on VSA. They indicated that day that it was limited to a small number of local customers only. SaaS servers(Software a s aS ervice, servers on the internet) were proactively shut down as a precaution.
Some security companies also informed Kaseya of the security incident and maintained a star collaboration with them from day one.
Actions carried out by the company Kaseya
All actions taken by the company are shown in chronologically at this web address -> https://www.kaseya.com/potential-attack-on-kaseya-vsa/.
References
- https://twitter.com/troyhunt/status/1412276963096502274
- https://www.kaseya.com/get-started/vsa-demo/
- https://www.kaseya.com/products/vsa/
- https://www.cbsnews.com/news/kaseya-atttack-biggest-known-ransomware/
- https://www.reuters.com/technology/hackers-demand-70-million-liberate-data-held-by-companies-hit-mass-cyberattack-2021-07-05/
- https://www.fbi.gov/news/pressrel/press-releases/fbi-statement-on-kaseya-ransomware-attack/layout_view
