Fallout continues from biggest global ransomware attack


BOSTON (AP) — The largest ransomware attack ever continued to bite Monday as more details emerged about how a Russia-linked gang breached the exploited software company. Criminals essentially spread it globally using a tool that helps protect against malware.

Thousands of organizations – mostly firms that remotely manage others’ IT infrastructure – were infected in at least 17 countries in Friday’s attack. Kaseya, whose product has been abused, said on Monday that it includes several newcomers to work.

More victims were expected to learn of their fate when they returned to the office on Tuesday, as the attack by the notorious REvil gang had come just as the long Fourth of July weekend had begun.

REvil is best known for leaking $11 million from meat processor JBS last month. Security researchers said the ability to evade anti-malware measures in this attack and clearly exploiting a previously unknown vulnerability in Kaseya’s servers reflects REvil’s growing financial strength and several dozen other top ransomware gangs whose success has helped them achieve the best digital theft. goods. Such criminals infiltrate networks and scrambled data, forcing their victims to paralyze them.

REvil was seeking $5 million in payments from so-called managed service providers, which were its main sub-targets in this attack, and apparently much less—just $45,000—from its affected customers.

But late Sunday, its dark website offered to offer a universal decryptor that would unlock all affected machines if $70 million in cryptocurrency was paid. While some researchers considered the proposal a PR stunt, others thought it showed that criminals had more victims than they could manage.

Sweden could take the hardest hit, or at least be the most transparent about the damage. Defense minister Peter Hultqvist lamented in a TV interview “how fragile the system is when it comes to IT security”. Most of Swedish grocery chain Coop’s 800 stores were closed for the third day, with cash registers crippled. A Swedish pharmacy chain, gas station chain, state railroad and public broadcaster SVT were also attacked.

Cybersecurity firm Sophos said numerous businesses and public institutions were affected, including financial services and travel, but several large companies were hit. The countries affected include the United Kingdom, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand and Kenya, the researchers said.

In a statement on Sunday, Anne Neuberger, deputy US national security adviser, urged all victims to alert the FBI. The day before, the FBI said in a warning that the scale of the attack “could make us unable to respond to each victim individually.”

The vast majority of ransomware victims are reluctant to admit it publicly, and most refrain from reporting attacks to law enforcement or disclosing whether they have paid a ransom unless required by law.

President Joe Biden said on Saturday that he had ordered US intelligence to “deep dive” into the attack and that the US would respond if it determined that the Kremlin was involved. Last month in Geneva, Biden tried to pressure Russian President Vladimir Putin to end the safe haven for REvil and other ransomware gangs, which go unpunished in Russia and allied states as long as they avoid local targets. Extortion attacks by unions have gotten worse over the past year.

On Monday, Putin spokesman Dmitry Peskov was asked if Russia was aware of or was investigating the attack. He said no, but said cybersecurity issues could be discussed during US-Russia consultations. No date has been set for such consultations, and few analysts expect the Kremlin to smash a crime wave that benefits Putin’s strategic goals of destabilizing the West.

Kaseya said Monday that less than 70 of its 37,000 customers are affected, but most are managed service providers with multiple sub-customers.

Hacked Kaseya software tool VSA manages client networks remotely, automating security and other software updates.

In a report on the attack released Monday, Sophos said a VSA server was breached through the explicit use of “zero-day”, the industry term for a previously unknown software vulnerability. Like other cybersecurity firms, it accused Kaseya of aiding attackers by asking customers not to monitor their internal “worker” folders for malware. From within these folders, REvil’s code can run undetected to disable Microsoft’s Defender program’s malware and ransomware flagging tools.

Sophos said that REvil did not attempt to steal data in this attack. Ransomware gangs usually do this before activating ransomware, so they can threaten to throw it online if payment isn’t made. This attack was bare bones in appearance, only messing up the data.

In an interview on Sunday, Kaseya CEO Fred Voccola did not confirm zero-day use or provide details of the breach—except to say that it was not phishing and that once an investigation by the cybersecurity firm was completed, he was confident it did. would show that not only Kaseya, but also third-party software was breached by the attackers.

Sign up for Daily Newsletters

Copyright © 2021 Washington Times, LLC.


Source link

Leave a Reply

Your email address will not be published. Required fields are marked *