The single biggest global ransomware attack yet continued to bite Monday as details emerged on how the Russia-linked gang responsible breached the company whose software was the conduit. In essence, the criminals used a tool that helps protect against malware to spread it widely.
An affiliate of the notorious REvil gang, best known for extorting $11 million from the meat-processor JBS after a Memorial Day attack, infected thousands of victims in at least 17 countries on Friday, largely through firms that remotely manage IT infrastructure for multiple customers, cybersecurity researchers said.
REvil was demanding ransoms of up to $5 million. But late Sunday it offered in a posting on its dark web site a universal decryptor software key that would unscramble all affected machines in exchange for $70 million in cryptocurrency. It wasn't clear who they expected might pay that amount.
Sweden may have been hardest hit by the attack — or at least most transparent about it. Its defense minister, Peter Hultqvist, bemoaned on Monday "a serious attack on basic functions in Swedish society."
A broad array of businesses and public agencies were affected, including in financial services, travel and leisure and the public sector — though few large companies, the cybersecurity firm Sophos reported. The cybersecurity firm ESET identified victims in countries including the United Kingdom, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand and Kenya.
Ransomware criminals infiltrate networks and sow malware that cripples them by scrambling all their data. Victims get a decoder key when they pay up.
The hackers behind a mass ransomware attack exploited a previously unknown vulnerability in IT management software made by Kaseya Ltd., the latest sign of the skill and aggressiveness of the Russia-linked group believed responsible for the incidents, cybersecurity researchers said Sunday.
Marcus Murray, founder of Stockholm-based TrueSec Inc., said his firm's investigations involving multiple victims in Sweden found that the hackers targeted them opportunistically. In those cases, the hackers used a previously unknown flaw in Miami-based Kaseya's code to push ransomware to servers that used the software and were connected to the internet, he said.
The Dutch Institute for Vulnerability Disclosure said it had alerted Kaseya to a vulnerability in its software that was then used in the attacks, and that it was working with the company on fixes when the ransomware was deployed.
Q&A: How ransomware works
What is ransomware and how does it work?
Ransomware scrambles the target organization's data with encryption. The criminals leave instructions on infected computers for negotiating ransom payments. Once paid, they provide decryption keys for unlocking those files.
Ransomware crooks have also expanded into data-theft blackmail. Before triggering encryption, they sometimes quietly copy sensitive files and threaten to post them publicly unless they get their ransom payments.
What's a supply-chain attack and how does it affect so many of us?
The latest attacks combine a ransomware operation with what's known as a supply-chain attack, which typically involves sneaking malicious code into a software update automatically pushed out to thousands of organizations.
Kaseya says the ransomware affected its product for remotely monitoring networks; but because many of its clients are providers of broader IT management services, a large number of organizations is likely to be affected.
"What makes this attack stand out is the trickle-down effect, from the managed service provider to the small business," said John Hammond of the security firm Huntress Labs. "Kaseya handles large enterprise all the way to small businesses globally, so ultimately, it has the potential to spread to any size or scale business."
Until now, the best-known recent supply-chain attack was attributed to elite Russian hackers and targeted software provider SolarWinds. But the motive was different; it was a massive intelligence operation targeting government agencies and others, not an attempt to extort money.
How do ransomware gangs operate?
The criminal syndicates that dominate the ransomware business are mostly Russian-speaking and operate with near impunity out of Russia and allied countries. Though barely a blip three years ago, the syndicates have grown in sophistication and skill. They leverage dark web forums to organize and recruit while hiding their identities and movements with sophisticated tools and cryptocurrencies like Bitcoin that make payments — and their laundering — harder to track.
Most experts have tied the Kaseya attack to a group known as REvil, the same ransomware provider that the FBI linked to an attack on JBS SA, a major global meat processor, amid the Memorial Day holiday weekend.
Active since April 2019, the group provides ransomware-as-a-service, meaning it develops the network-paralyzing software and leases it to so-called affiliates who infect targets and earn the lion's share of ransoms.
AP reporters Jim Heintz in Moscow, Jan Olsen in Stockholm, Kirsten Grieshaber in Berlin, Jari Tanner in Helsinki and Sylvie Corbet in Paris contributed to this report.