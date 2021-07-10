More than a thousand businesses across at least 17 countries have been affected in a massive ransomware attack centered on US information technology management firm Kaseya.



Russia-linked ransomware gang REvil has taken credit for the hack and said it will release a universal decryptor to unlock “more than a million” infected computers for $70 million in Bitcoin, according to a posting on a dark web site.

Scoop/breaking: The REvil ransomware gang is asking for $70 million to publish a universal decryptor that can unlock all computers locked during the Kaseya incidenthttps://t.co/dvbnOesLGJ pic.twitter.com/M0a4QKwgYo — Catalin Cimpanu (@campuscodi) July 5, 2021

On July 2, when the staff from many businesses were already on leave or preparing for a long holiday weekend, an affiliate of the REvil ransomware group, the cybercriminal world’s most prolific extortionists, launched a widespread crypto-extortion gambit, cybersecurity firm Sophos reported.

The magnitude of impact

The REvil actors reportedly leveraged an exploit in Kaseya’s VSA cloud platform to gain access to customers’ VSA appliances and deployed a malicious software update that encrypted local files on all connected computers.

Over 60 Kaseya customers have been affected, the company said in an update. But 70 per cent of them were managed service providers (MSPs) who use the company’s hacked VSA software to manage multiple customers. This set off a chain reaction that quickly paralyzed the computers of between 800 and 1,500 businesses on all five continents.



The company’s CEO Fred Voccola told Reuters in an interview that most of those affected businesses have been small concerns, like dentists’ offices or accountants. But the impact has been felt more deeply in Sweden, where a grocery store chain had to close all 800 of its stores because it could not operate its cash registers, or New Zealand, where schools and kindergartens were knocked offline.



This is a list of victim organizations that #REvil ransomware gang has posted on its leaked blog on the #DarkWeb.

A total of 273 victims they claim are posted on their darkweb leak blog site. pic.twitter.com/dLVB2ZcYMG — DarkTracer : DarkWeb Criminal Intelligence (@darktracer_int) July 3, 2021

#REvil ransomware attack against #MSPs and its clients around the world https://t.co/hE55vsOxep pic.twitter.com/2UHbY7csPz — Dmitry Bestuzhev (@dimitribest) July 5, 2021

Ransomware attacks are bigger and bolder



REvil ransomware has been advertised on underground forums for three years, cybersecurity firm Kaspersky noted in a blog, and is one of the most prolific Ransomware-as-a-Service (RaaS) operations, where it leverages a partner program to execute its cyber attacks. The group’s activity was first observed in April 2019 after the shutdown of GandCrab, another now-defunct ransomware gang.

Only last month, JBS Foods, the world’s largest meat processing company, was forced to pay the equivalent of $11 million in ransom after the notorious ransomware gang forced the company to shut down some operations in the United States and Australia. In April, REvil demanded a $50 million extortion fee from Apple having gained access to confidential plans of Apple’s upcoming product after launching an attack against Quanta, which assembles Apple’s products, including Apple Watch, Apple Macbook Air and Pro, and ThinkPad.

REvil ransomware gang’s Tor Network Infrastructure on Darkweb They run 1 leak blog site and 22 data hosting sites on the DarkWeb. pic.twitter.com/bqlQTfzoOV — DarkTracer : DarkWeb Criminal Intelligence (@darktracer_int) July 3, 2021

Experts believe that the ransomware groups are increasingly looking at high-profile targets and reap substantial benefits by demanding exorbitant ransoms. Ransomware attacks around the globe have gone up by 102 per cent in 2021 compared to 2020, according to CheckPoint research, which also revealed that India is the most impacted country with 213 weekly ransomware attacks per organisation.



A couple of months back in May, The DarkSide ransomware group, also notorious for attacking high-profile targets, forced the US into a state of emergency and profited about $4.4 million in Bitcoin after the attack shut down a pipeline causing fuel shortages and a sharp increase in gas prices.



Of the existing darkweb ransomware gangs, #REvil ransomware gang attacked the second largest number of victims. The victims’ internal data was leaked to the DarkWeb. pic.twitter.com/RcRrqNfvgu — DarkTracer : DarkWeb Criminal Intelligence (@darktracer_int) July 4, 2021

How to protect yourself from a ransomware attack

The US federal agencies, Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) advised MSPs affected by the REvil attack to immediately shut down their VSA servers and check their systems for signs of compromise using a detection tool provided by Kaseya, besides enabling multi-factor authentication (MFA) on as many accounts as possible.

There are a number of factors that might make you the target of a ransomware attack, which includes using older devices with outdated software; browsers and/ or operating systems (OS) that are no longer patched; and if you don’t have a proper backup plan.



Security experts recommend following these five basic cyber hygiene measures to protect your systems from a potential ransomware attack. These include using two-factor (2FA) or multi-factor authentication; use an external hard drive to secure important information; turn on internal firewalls in your network; regularly update your password; and beware the vulnerabilities involving remote access to networks.



Apart from these healthy habits, understanding how a ransomware spreads can be critical to avoiding such an attack. Users need to be on the lookout for phishing emails, which can be identified via suspicious links, misspelled and a strange combination of words, and unusual attachments, especially a zip file or a .exe file. Infected websites, malicious advertisements and fake apps can also be other means by which ransomware spreads.