REvil asks the biggest ransom to date: 70M for a universal decryptor

Kaseya supply-chain attack puts thousands of businesses at risk: the price for all affected file recovery is set

Kaseya affected by REvil ransomwareThe biggest ransom demand from REvil creators ever.

Miami-based tech management and software company Kaseya, which provides customers worldwide, is currently facing major hardships. Due to zero-day vulnerabilities, the Russia-linked REvil cybercrime gang pulled off the unprecedented hack as it seems that at least 1,000 businesses have been affected, with victims identified in at least 17 countries, including the U.K., South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand, and Kenya[1].

The group of threat actors is now demanding a $70 million ransom payment in Bitcoin to publish a universal decryptor that can unlock files from all the affected systems that have been crippled by file-encrypting ransomware. Apparently, The Dutch Institute for Vulnerability Disclosure (DIVD) has contacted Kaseya due to tons of 0-day vulnerabilities in its VSA software (CVE-2021-30116) that it said were being exploited as a conduit to deploy ransomware.

Kaseya company is known for producing software primarily for remote management. This software enables a single framework for maintaining the IT policies for the company, and it also aids the administrator in patching updates and monitoring the situation, and controlling it remotely[2]. Kaseya's VSA is used to monitor and manage infrastructure, and it is supplied either as a hosted cloud service by Kaseya or via on-premises VSA servers.

0-day vulnerability often makes companies the worldwide target of the hack attacks

Zero-day is a term widely used while describing recently discovered security loopholes that threat actors can use to attack systems. The term simply refers to recent knowledge of the flaw, and it means there are zero days to fix it. Such flaws could vary from vulnerability to exploit and attack.

0-day vulnerability is a software flaw discovered by attackers. The 0-day exploit is the method that hackers use to attack certain systems and a 0-day attack is the direct usage of said exploit with the idea to cause severe damage or steal data that later could be used to ransom[3].

In this case, the notorious REvil gang used Kaseya's vulnerabilities to cause potential exploit. On dark web data leak site, hack group bragged about the successful attack of MSP providers and shared the fact that more than a million systems were infected. $70,000,000 in BTC. Such a massive attack attracted the highest power as even President Joe Biden has stated to direct full resources of the government to investigate the incident, and the FBI asks everyone who could be compromised to alert authorities[4].

REvil continues to cause chaos within global companies' security

REvil is a ransomware enterprise that became widely known in April 2019, and it is believed to be tied to Russia. The group, also known by names like Sodin and Sodinokibi, gained a reputation for attempting to extort large payments from its corporate victims and is actively promoted in underground cybercrime forums as the best choice for attacking business networks where there is more money to be made than infecting the computers of home users[5].

The hackers use ransomware to lock data and allow attackers to connect to the host machine with HTTP access to Oracle's WebLogic server and inject the malware manually. Initially, the payload was delivered with the notorious GrandCrab 5.2 ransomware, which is now believed to be its successor[6].

Back in May, JBS, the world's largest meat company by sales, became a victim of REvil's cyberattack as the gang targeted its IT network, temporarily knocking out operations in Australia, Canada, and the U.S. Later, JBS paid extortionists $11 million in bitcoins to regain access to its systems.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions