BOSTON (AP) – The largest global ransomware attack to date continued on Monday as details of how the gang affiliated with Russia broke through the company whose software was the channel emerged. Essentially, the criminals used a malware protection tool to spread it widely.
A member of the infamous REvil gang, best known for extorting $ 11 million from meat processor JBS after an attack on Memorial Day, infected thousands of victims in at least 17 countries on Friday, mostly through companies that operate IT – Remotely manage infrastructure for multiple customers. Cyber security researchers said.
REvil has requested up to $ 5 million in ransom. But late Sunday, in a post on its dark website, it offered a universal decryption software key that would decrypt all affected machines in exchange for $ 70 million in cryptocurrency. It was not clear who should pay this amount.
Sweden may have been hardest hit by the attack – or at least most transparently. Their defense minister Peter Hultqvist complained on Monday “a serious attack on basic functions of Swedish society”.
“It shows how fragile the system is when it comes to IT security and you have to work constantly to defend yourself,” he said in a TV interview. Most of the 800 branches of the Swedish grocery chain Coop were closed all weekend because their cash register software provider was paralyzed. They were closed on Monday. A Swedish pharmacy chain, petrol station chain, the state railway and the public broadcaster SVT were also hit.
A wide range of businesses and government agencies were affected, including financial services, travel & leisure, and the public sector – albeit few large corporations, cybersecurity firm Sophos reported. Cyber security company ESET identified victims in countries like the UK, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand and Kenya.
Ransomware criminals infiltrate networks and sow malware that cripples them by encrypting all of their data. Victims receive a decoder key when they pay.
In Germany, an unnamed IT service provider informed the authorities that several thousand of its customers had been compromised, the news agency dpa reported. The reported victims also included two large Dutch IT service companies – VelzArt and Hoppenbrouwer Techniek. Most ransomware victims do not publicly report attacks or reveal whether or not they have paid a ransom.
On Sunday, the FBI said in a statement that during the investigation into the attack it “may be so large that we are unable to respond to each victim individually”. Assistant National Security Advisor Anne Neuberger later issued a statement saying President Joe Biden had “directed all government resources to investigate this incident,” and urged anyone who believed they were compromised to turn to the FBI alert.
Biden suggested on Saturday that the US would react if the Kremlin is found to be involved at all. Less than a month ago, Biden urged Russian President Vladimir Putin, REvil and other ransomware gangs whose relentless extortionate attacks the US see as a threat to national security to no longer give a safe haven.
Putin spokesman Dmitri Peskov was asked on Monday whether Russia was aware of the attack or had looked. He said no but suggested that this could be discussed by the US and Russia in consultations on cybersecurity issues that have not been timed.
Experts say it was no coincidence that REvil launched the attack at the beginning of the July 4th holiday weekend, knowing the US offices would be sparsely staffed and many victims might not find out about work until Monday or Tuesday .
Most managed service provider end users “have no idea” whose software is keeping their networks running, said Fred Voccola, CEO of software company Kaseya.
He estimated the number of victims at the low thousand, mostly small businesses such as “dental practices, architectural offices, plastic surgery centers, libraries and the like”.
Voccola said only between 50-60 of the company’s 37,000 customers were compromised. However, 70% were managed service providers using the company’s hacked VSA software to manage multiple customers. It automates the installation of software and malware detection updates, and manages backups and other critical tasks.
Kaseya said it sent a detection tool to nearly 900 customers on Saturday night.
REvil’s offer to offer flat-rate decryption to all victims of the Kaseya attack in exchange for $ 70 million indicated its inability to cope with the sheer volume of infected networks, said Allan Liska, an analyst at cybersecurity firm Recorded Future .
Acronis’ Kevin Reed said, however, that offering a universal decryptor could be a public relations gimmick, as it would not require human involvement to pay a $ 45,000 ransom note that appears to have been sent to the vast majority of targets. Analysts reported claims of $ 5 million and $ 500,000 for larger targets that would require negotiation.
Emsisoft analyst Brett Callow said he suspects REvil is hoping insurers will crack the numbers and find that $ 70 million is cheaper for them than prolonged downtime.
Sophisticated REvil-level ransomware gangs usually examine a victim’s financial records – and insurance policies if they can find them – from files they steal before activating the ransomware. The criminals then threaten to post the stolen data on the Internet without payment, although in this case this does not appear to have happened. But this attack was apparently naked. REvil only appears to have encrypted the victims’ data.
Dutch researchers said they brought the breach to the attention of Miami-based Kaseya, saying the criminals used a “zero day,” the industry term for a previously unknown vulnerability in software. Voccola would neither confirm nor provide details of the violation – except to say that it was not phishing.
“The level of sophistication here has been exceptional,” he said.
It wasn’t the first ransomware attack to exploit managed service providers. In 2019, criminals hindered the networks of 22 Texan communities through a. In the same year, 400 U.S. dental practices were paralyzed in a separate attack.
REvil has been active since April 2019 and offers ransomware-as-a-service, i.e. it develops the network-crippling software and rents it to so-called affiliates who infect targets and earn the lion’s share of the ransom money. US officials say the most powerful ransomware gangs are based in Russia and allied states, and operate with the tolerance of the Kremlin and sometimes collaborate with Russian security services.
The AP reporters Jim Heintz in Moscow, Jan Olsen in Stockholm, Kirsten Grieshaber in Berlin, Jari Tanner in Helsinki and Sylvie Corbet in Paris contributed to this report.
source https://collegeeducationnewsllc.com/how-ransomware-attacks-are-roiling-the-cyber-insurance-industry/
No comments:
Post a Comment