US companies hit by 'colossal' cyber-attack

US companies hit by 'colossal' cyber-attack
Published3 hours ago | BBC

About 200 US businesses have been hit by a "colossal" ransomware attack, according to a cyber-security firm.

Huntress Labs said the hack targeted Florida-based IT company Kaseya before spreading through corporate networks that use its software.

Kaseya said in a statement on its own website that it was investigating a "potential attack".

Huntress Labs said it believed the Russia-linked REvil ransomware gang was responsible.

The US Cybersecurity and Infrastructure Agency, a federal agency, said in a statement that it was taking action to address the attack.

The cyber-breach emerged on Friday afternoon as companies across the US were clocking off for the long Independence Day weekend.

Kaseya said one of its applications that runs corporate servers, desktop computers and network devices might have been compromised.

The company said it was urging customers that use its VSA tool to immediately shut down their servers.

Kaseya said in its statement that a "small number" of companies had been affected, though Huntress Labs said the number is already about 200 and counting.

It is not clear what specific companies have been affected - a Kaseya representative contacted by the BBC declined to give details.

Kaseya's website says it has a presence in over 10 countries and more than 10,000 customers.

"This is a colossal and devastating supply chain attack," Huntress Labs' senior security researcher John Hammond said in an email to Reuters news agency.

At a summit in Geneva last month, US President Joe Biden said he told Russian President Vladimir Putin he had a responsibility to rein in such cyber-attacks.

Mr Biden said he gave Mr Putin a list of 16 critical infrastructure sectors, from energy to water, that should not be subject of hacking.

REvil - also known as Sodinokibi - is one of the most prolific and profitable cyber-criminal groups in the world.

The gang was blamed by the FBI for a hack in May that paralysed operations at JBS - the world's largest meat supplier.

The group sometimes threatens to post stolen documents on its website - known as the "Happy Blog" - if victims don't comply with its demands.

REvil was also linked to a co-ordinated attack on nearly two dozen local governments in Texas in 2019.

Hackers behind holiday crime spree demand $70 million, say they locked 1 million devices
Kevin Collier, NBC
Mon, July 5, 2021, 7:59 AM

The hacker gang behind an international crime spree that played out over the Fourth of July weekend say they've locked more than a million individual devices and are demanding $70 million in bitcoin to set them all free in one swoop.

The gang, the Russia-connected REvil, is best known for previously hacking JBS, one of the world's largest meat suppliers, and briefly halting its operations across much of North America. But this attack's potential scope is unprecedented, according to some cybersecurity experts.

REvil's began its spree Friday by compromising Kaseya, a software company that helps companies manage basic software updates. Since many of Kaseya's customers are companies that manage internet services for other businesses, the number of victims grew quickly. Instead of locking an individual organization, as ransomware gangs usually do, REvil this time locked each victim computer as a standalone target, and initially asked $45,000 to unlock each specific one.

President Joe Biden has "directed the full resources" of the government toward investigating the problem, he told reporters Sunday.

The Swedish grocery chain Coop is the largest known victim, and was forced to close most of its roughly 800 stores all day Saturday. Its registers were all controlled online by Visma Esscom, a Kaseya customer, and locked up and rendered unusable.

Exactly how many systems have been infected is unknown, though the number is likely sizable. The cybersecurity firm Huntress, which is helping Kaseya's response, is aware of more than 1,000 individual businesses that have been affected so far, it said.

REvil's claim that they have compromised more than a million devices in this spree is impossible to prove, given how few victims are speaking publicly and the fact that no government or company has a database of everyone who was hit. But that number is plausible, said Mikko Hypponen⁩, a researcher at the cybersecurity company F-Secure, given that this strain of ransomware infects each device individually.

"Think about a retail chain, like grocery retail," Hypponen⁩ said. "Every single cashier system is an endpoint. Every laptop. Everybody in the sales has a system, multiple servers. 200 stores, 300 stores, they alone would have thousands of endpoints. And if a thousand Coop-like companies were infected, yes, you would have a million endpoints."

Regardless of the actual number of victims, it's extremely difficult to imagine victims banding together to jointly pay $70 million, said Allan Liska, an analyst at the cybersecurity firm Recorded Future.

"Despite the braggadocio in their note, I actually think it is actually a sign they are overwhelmed," Liska said.

A million victims that each paid $45 million would be a profit of $45 billion, he noted.

"They are low balling themselves at $70 million," he said.