Massive Kaseya attack demands up to $70 million ransom from more than 200 US businesses

Florida-based IT company Kaseya has been targeted in a ‘colossal’ ransomware attack, believed to be at the hands of the Russia-linked REvil group taking advantage of an existing vulnerability in its servers. The attack happened on Friday 2nd July, as businesses across the US wound down for the long Independence Day weekend.

According to Kaseya, an application running its corporate servers, computers and other network-connected devices was compromised as a result of this attack. The IT company, which has more than 36,000 customers in over ten countries, has since asked users to shut down their servers urgently.

So far, it is understood that REvil targeted Kaseya’s servers and from there was able to focus on encrypting the associated managed service providers (MSPs) and their customers, including the Swedish Coop supermarket chain, a customer of Visma EssCom.

However, since its initial demands, the REvil gang is already raising its ransom; just days after the attack, the group supposedly demanded between $40,000 and $45,000 per encrypted file extension. For context, each victim MSP has several files encrypted by REvil, with one victim revealing that the criminal gang demanded half a million dollars to decrypt its 12 ransomed files. REvil is also offering a universal decryptor, via its leak site, for a staggering $70 million.

The ransomware group has said that only the networks have been encrypted and that, at the time of writing this blog, none of the victims’ data has been stolen to be used as leverage – though this could change as negotiations continue.

Blueliv’s advice

Beyond asking its customers to shut down their servers immediately, Kaseya is also working to create a patch for the vulnerability that allowed Friday’s attack to occur. Unfortunately for Kaseya’s customers, the damage is already done.

As ransomware attacks continue to dominate headlines the world over, Blueliv advises would be victims to look for tools that can early detect and/or mitigate such attacks. One such tool is Blueliv’s Threat Context. In the face of ransomware attacks, Blueliv’s Threat Context module pivots the initial threat before it can cause a complete breach, thanks to its 220 million-plus database of items that allow users to identify associated malware, campaigns, exploited common vulnerabilities and exposures (CVE).

Users can then prioritize their CVE and, using a score-based analysis of the ransomware, correlate them with existing campaigns. Threat Context also allows users to hunt down malware via Blueliv’s sandbox analysis and receive in-depth analysis of the threat straight from the Blueliv Labs team.

To ensure organizations are not swept up in future attacks, Blueliv urges SOC teams to incorporate sophisticated threat intelligence platforms that can help them survive attacks of this magnitude.

The post Massive Kaseya attack demands up to $70 million ransom from more than 200 US businesses appeared first on Blueliv.

*** This is a Security Bloggers Network syndicated blog from Blueliv authored by The Blueliv Team. Read the original post at: