The REvil ransomware gang that hit IT software provider Kaseya VSA with a crippling supply chain ransomware attack on Friday, July 2, has now published a blanket ransom payout demand on its dark web site, the notorious Happy Blog. According to the post, the REvil gang, also known as Sodinokibi, has asked for a payout of $70 million, or about Rs 520 crore, in order to unlock what it claims to be “more than a million systems.” The ransom demand comes two days after news broke about the attack, which initially suspected at least a few hundred small and medium sized companies to be affected as a result of the attack. The companies were largely using outsourced IT services from Managed Service Providers (MSPs), which in turn were using software provided by Kaseya VSA.
The REvil gang’s post reads, “On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is $70,000,000 in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour. If you are interested in such deal – contact us using victims “readme” file instructions. (sic)”
The ransom demand is the biggest known in public memory, and if paid, will make for the biggest ransom ever paid to a cyber attack. The Kaseya ransomware attack is also one of the biggest ever known cyber attacks till date, and the sheer scale of it is alarming in terms of the attack’s sophistication, scale and the total cost that it may involve for companies to get back on their feet and work around their encrypted data – even if the demanded ransom is not paid. Initial reports had found the REvil gang to be demanding around $5 million (about Rs 37 crore) from the bigger MSPs that were hit by the ransomware attack, and as low as $45,000 (about Rs 33.5 lakh) from the smaller companies that were hit by the attack as a result of being one of Kaseya or the linked MSPs’ clients.
Ross McKerchar, VP and CISO at Sophos, explained the extent of the Kaseya REvil ransomware attack that has so far come to light, saying, “Our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organisations. We expect the full scope of victim organisations to be higher than what’s being reported by any individual security company. Victims span a range of worldwide locations with most in the United States, Germany and Canada, and others in Australia, the UK and other regions."
While it remains to be seen what resolution is sought in light of the REvil attack, the situation stands as a grave one at the moment. The Federal Bureau of Investigation (FBI) of USA, as well as numerous other cyber security companies are presently investigating the attack right now, and a report by The Associated Press states that US president, Joe Biden, has directed full resources of the American government into investigating the attack. The move comes after America increasing pressure on Russia to crack down on ransomware gangs, many of which have so far been alleged to be based in Russia. It is not yet clear if any state-backed motive might also be part of the Kaseya ransomware attack, although the indications do not directly imply so.
Ransomware payouts are known to be direct, incentivising factors behind more ransomware attacks being undertaken, and on this front, many cyber security advocates have called out for better regulation and more involvement of central government resources behind dealing with the increasing volumes of ransomware attacks around the world. The Kaseya ransomware attack is also a global one, and is not restricted to only USA or other specific countries. With the ransom demand out in the open, it remains to be seen how the issue progresses at the moment.
The REvil gang had previously claimed that the ransom amounts would increase with passing time if their demands are not met, prior to publishing this blanket ransom demand via their blog.