Ransomware group REvil demand record $70 million for decrypt tool

A ransomware attack that affected multiple businesses across the United States last week has also broken the record for the largest ever ransom demanded by cyber-crooks, a staggering $70 million.

The cyber-crooks, linked to the notorious REvil ransomware gang, has claimed on its blog that if they would offer a universal decryption device that would work for any of the businesses affected by the attack, assuming those businesses opted to group together to cough up the ransom’s asking price.

What happened?

This was a “supply-chain” attack with the aim of deploying traditional ransomware to multiple targets.

A supply-chain attack is when attackers infect devices by planting their malware at the top of the software-food-chain and wait for it to filter down. So for example, Windows users get software updates from Microsoft, and if attackers managed to compromise Microsoft’s servers to plant malware within the latest update (and that update consequently installs malware on the machines of Windows users) that’s a supply-chain attack. (< Just an example - this attack didn't involve Microsoft.)


Sponsored Content. Continued below...




(A good analogy of a supply-chain attack is from the movie Independence Day, when the good guys infect the “mother ship” with a computer virus which in turn passes the same virus to all of the smaller ships.)

In this case the top of the food-chain was a company called Kaseya. They’re a software company that provide software services to Managed Servicer Providers (MSPs) who in turn are companies that provide a range of different services to other businesses.

Cyber-crooks managed to compromise Kaseya and plant their malware within a Kaseya tool called VSA that is used for network monitoring, backups and patch management. This tool is used by Kaseya’s customers – Managed Service Providers – who then would have unwittingly used it to infect devices of their own clients. The ransomware travels down the supply-chain from Kaseya, to the MSP companies, to the clients of those MSP companies.


Sponsored Content. Continued below...




Ransomware, as no doubt all our regular readers will know, is malware that encrypts important files found on a victim’s device or network, rendering them useless until a ransom is paid for a decryptor tool.

Successful supply-chain attacks can be particularly devastating because they only require the crooks to compromise a single company, and then malware can be spread to multiple locations and multiples companies through otherwise legitimate processes such as software updates or interactions.

It’s not clear exactly how many have been infected by this attack, though security software Sophos have claimed it is one of the furthest reaching ransomware attacks they have seen, infecting at least 70 MSPs and a further 350 of their clients. REvil on the other hand has claimed their ransomware has made its way onto over a million devices thanks to the attack, and have used that to justify their lofty $70 million ransom demand.

Kaseya, on the other hand, have been far more conservative in their estimates, claiming between 800-1500 end-clients have been compromised.


Sponsored Content. Continued below...




Much of Kaseya’s services are currently offline and customers using the infected tool are being advised to keep certain servers offline.

President Biden has instructed the US’s intelligence services to investigate. Any details about ransom paid to the REvil ransomware gang are not yet known and may never be known since many such ransom payments are made in secret and not publicly disclosed.