Happy Nice Mall

BOSTON — Cybersecurity teams worked hard on Sunday to contain the impact of the largest global ransomware attack on record, with some details on how the Russia-linked gang breached the company responsible for the software’s channel.

A notorious affiliate REvil Gang known for blackmailing $11 million from meat handlers JBS Cybersecurity researchers infected thousands of victims in at least 17 countries on Friday, largely through firms that remotely manage IT infrastructure for multiple customers, following a Memorial Day attack. They reported that they demanded a ransom of up to $5 million.

The FBI said Sunday it was investigating the attack with the federal Cybersecurity and Infrastructure Security Agency, but “the scale of this incident may make us unable to respond to each victim individually.”

President Biden said on Saturday that the United States would respond if the Kremlin was determined to be involved. He said he wanted a “deep dive” from the intelligence community into what happened.

The attack came less than a month after Biden put pressure on the Russian President Vladimir Putin to stop providing a safe haven for REvil and other ransomware gangs that see the US relentless extortionist attacks as a national security threat.

A large number of businesses and public institutions, apparently across all continents, have been affected by the recent attack, including financial services, travel and entertainment, and the public sector, cybersecurity firm Sophos reported. Ransomware criminals break into networks and plant malware that messes up all their data and cripples networks during activation. Victims receive a decoder key when they pay.

Swedish grocery chain Coop said most of its 800 stores will be closed for the second day on Sunday as cash register software suppliers are crippled. A Swedish pharmacy chain, gas station chain, state railroad and public broadcaster SVT were also attacked.

An unnamed IT services company in Germany told authorities that several thousand of its customers had been compromised, news agency dpa reported. Also among the reported victims were two large Dutch IT services companies – VelzArt and Hoppenbrouwer Techniek. Most ransomware victims do not publicly report the attacks or disclose whether they have paid the ransom.

Fred Voccola, CEO of the hacked software company Kaseya, estimated the number of victims in the thousands, mostly small businesses like “dental practices, architecture firms, plastic surgery centers, libraries, things like that.”

Experts say this is no coincidence. REvil He launched the attack at the beginning of the July 4th holiday weekend, knowing that US offices would be understaffed. Many victims may not find out until they return to work on Monday. Voccola said the vast majority of end customers of managed service providers “have no idea” what kind of software is being used to keep their networks humming.

Kaseya said she sent a detection tool to about 900 customers on Saturday night.

John Hammond of Huntress Labs, one of the first cybersecurity firms to alert the attack, said he had requested $5 million and $500,000 from the United States. revile for the decryption key required to unlock encrypted networks. The smallest amount requested appears to be $45,000.

Advanced ransomware gangs REvillevel usually examines the victim’s financial records and, if they can find them, insurance policies from the files they steal, before activating data-scrambling malware. Criminals then threaten to dump the stolen data online unless paid for. However, it was not immediately clear whether this attack involved data theft. The infection mechanism suggests that it is not.

“Stealing data often takes time and effort from the attacker, which is probably not possible in such an attack scenario with a large number of small and medium victim organizations,” said Ross McKerchar, Sophos’ chief information security officer. “We haven’t seen any evidence of data theft, but it’s still early and only time will tell if attackers will resort to playing this card to get victims to pay.”

Dutch researchers said they had warned Miami-based Kaseya of the breach and that the criminals were using the industry term “zero-day” for a previously unknown vulnerability in the software. Voccola does not confirm this or provide details of the breach, other than to say it was not phishing.

“The level of sophistication here was extraordinary,” he said.

When the cyber security firm mandiant Voccola said it was confident that when it finished its investigation, it would show that criminals had not only breached Kaseya’s code, but also exploited vulnerabilities in third-party software.

This was not the first ransomware attack to exploit managed service providers. In 2019, criminals blocked the networks of 22 Texas municipalities over a network. That same year, 400 US dental practices were injured in a separate attack.

Victor Gevers, one of the Dutch vulnerability researchers, said his team is concerned about products like Kaseya’s VSA because of the full control of the vast computing resources they have to offer. “Many of the products used to keep networks safe and secure show structural weaknesses,” he wrote in a blog on Sunday.

Cybersecurity firm ESET has identified victims in at least 17 countries, including the United Kingdom, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand and Kenya.

Kaseya says the attack only affected “on-premises” customers, organizations that run their own data centers, as opposed to their cloud-based service that runs software for customers. However, this has also shut down the servers as a precaution.

Calling customers on Friday to shut down their VSA servers immediately, Kaseya said on Sunday that he hopes a patch will be released in the next few days.

Active since April 2019, REvil provides ransomware as a service, that is, it develops software that paralyzes the network and leases it to so-called affiliates that infect targets and take the lion’s share of the ransom. US officials say the most powerful ransomware gangs are at the center Russia and allied states and Kremlin tolerance, and sometimes colludes with Russian security services.

Dmitri Alperovitch, a cybersecurity expert at the Silverado Policy Accelerator think tank, said that while he doesn’t believe the Kaseya attack was directed by the Kremlin, it shows that. Putin It has “not yet taken action” on shutting down cybercriminals.