Hacker group REvil has demanded $70 million in Bitcoin in exchange for the decryption key used to prevent more than 200 companies from accessing critical files and information.
The group's latest ransomware campaign struck on July 2 when an IT management solutions provider called Kaseya said it was investigating an attack on its VSA remote software monitoring and management tool. The company estimated that 40 of its customers were affected, but many of those businesses had clients of their own.
A security firm called Huntress Labs initially estimated that at least 200 companies were affected by the ransomware campaign. At the time of writing, the company has upped that estimate to say that it could be more than 1,000 affected organizations around the world, which makes this one of the largest ransomware campaigns to date.
BleepingComputer reported that REvil claims its campaign affected more than 1 million devices. The good news? The group also claimed all of those devices "will be able to recover from attack in less than an hour" because their files were encrypted using the same key. The bad news is, well, they want $70 million for that key.
That's a record high ransom, BleepingComputer said, beating the $50 million REvil previously demanded from Acer. The group also requested $50 million from Quanta Computer in exchange for stolen files related to upcoming Apple products in April, but it mysteriously dropped that demand a day before it was supposed to be paid.
President Joe Biden said over Independence Day weekend that he ordered an investigation into this ransomware campaign to determine if the Russian government was involved. Kaseya said that it's been in touch with the FBI, the Cybersecurity and Infrastructure Security Agency, and other federal agencies.
Before I retired I worked for a large Canadian government department (10,000 clients) and we were very strict when it came to Backups and Backups of Backups.
That included online Backups and offline Backups.
I hear a lot of complaints about public servants but our group was the most dedicated and computer savvy bunch of "old coders".
Real "old coders". Going right back to Assembler days. And we knew our stuff.
I have no idea why some of this stuff is online in the first place - so you can open a valve from your desk?
The sooner these networks are hardened, the faster we can put these cowards out of business.
Didn't the US invent the Internet? (DARPA)
Rather the monitoring is fed out to regular systems.
Once that network goes down, the whole thing needs to be taken offline, until it can be recovered from a backup, or a full reinstall. Which is NOT trivial.
Things need to be brought back online in a specific order.
Assuming there exists a proper backup scenario, and detailed, tested checklist of how to restart.
2-3 days of downtime while everything is restarted == potential millions of $$.
The question is - How did this ransomware get into the network to begin with?
It does NOT happen randomly or via a driveby...some idiot opened something he shouldn't, or brought some crap from home.
Plus network administrators and software vendors are not doing their job by using checksums to verify their updates.
How else does something like the SolarWinds breach get distributed?
It's all about accountability and over the last 30 years I've seen the bar get lower and lower.
If everyone was doing their jobs to the utmost these things wouldn't be happening.