Hackers demand $70 million as REvil ransomware attack on Kaseya supply‑chain claims one million systems worldwide

Another day, another cyberattack. SolarWinds, Colonial pipeline, JBS meat processing, Cyber Polygon, and now Kaseya. With no one to stop them, cyber attackers are now roaming freely across the internet wreaking havoc on mostly American companies.

As Americans celebrated Independence Day, the notorious cybercrime gang known as REvil had their own celebration —  the successful attack on managed service providers (MSPs), organizations that provide remote IT infrastructure management services for multiple customers.

Over the weekend, Kaseya IT management software, a tool commonly used in Managed Service Provider (MSP) environments, was hit by the REvil ransomware attack. However, unlike the SolarWinds attack, REvil is demanding $70 million to restore the data they are holding for ransom from victims spread across at least 17 countries, according to a posting on a dark website.

According to research published by cybersecurity firm ESET, about a dozen different countries were affected by the Kaseya ransomware attack that has now affected the global supply chain. ESET noted that some of Kaseya’s customers were hit by a compromised update package for users of Kaseya’s remote monitoring VSA platform because these customers were MSPs with numerous customers of their own.

While the initial ransomware infection was limited to about 30-40 of Kaseya customers, the ransomware has potential ripple effects to infect many more customers. Yesterday, ESET reported a variant of the ransomware known as “Win32/Filecoder.Sodinokibi.N trojan on July 2nd at 3:22 PM (EDT; UTC-04:00).”

“The detection includes both the main body of the ransomware, as well as DLLs it sideloads. ESET telemetry shows the majority of reports coming from the United Kingdom, South Africa, Canada, Germany, the United States, and Colombia,” ESET wrote in a blog post. BBC also reported that as many as 500 of the 800 supermarket stores operated by the Swedish Coop were forced to close when their checkouts stopped working.

Meanwhile, Ross McKerchar, the chief information security officer at Sophos Group Plc, said that “schools, small public-sector bodies, travel and leisure organizations, credit unions, and accountants” are among those hit by the REvil ransomware attack.

“This is one of the farthest-reaching criminal ransomware attacks that Sophos has ever seen,” said Ross McKerchar, the chief information security officer at Sophos, “at this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company. Victims span a range of worldwide locations with most in the United States, Germany and Canada, and others in Australia, the U.K. and other regions.”