Published in News

REvil affiliate pulls off the largest worldwide ransomware attack

by on06 July 2021


Thousands of victims in 17 countries

In what has been dubbed “the single biggest global ransomware attack on record", thousands of victims in at least 17 different countries have been hit in a ransomware attack.

An affiliate of the Russia-linked gang REvil deployed the ransomware "largely through firms that remotely manage IT infrastructure for multiple customers".

A broad array of businesses and public agencies were hit by the latest attack, apparently on all continents, including in financial services, travel and leisure and the public sector — though few large companies, the cybersecurity firm Sophos reported.

 The Swedish grocery chain Coop said most of its 800 stores would be closed for a second day Sunday because their cash register software supplier was crippled. A Swedish pharmacy chain, gas station chain, the state railway and public broadcaster SVT were also hit. In Germany, an unnamed IT services company told authorities several thousand of its customers were compromised, the news agency DPA reported.

CEO Fred Voccola of the breached software company, Kaseya, estimated the victim number in the low thousands, mostly small businesses like "dental practices, architecture firms, plastic surgery centres, libraries, things like that".

Voccola said in an interview that only between 50-60 of the company's 37,000 customers were compromised. But 70 percent were managed service providers who use the company's hacked VSA software to manage multiple customers. It automates the installation of software and security updates and manages backups and other vital tasks.

Dutch researchers said they alerted Miami-based Kaseya to the breach and said the criminals used a "zero-day" hole in the software.

Voccola said that it was not a phishing attack and the level of sophistication was extraordinary.

When the cybersecurity firm Mandiant finishes its investigation, Voccola said he is confident it will show that the criminals didn't just violate Kaseya code in breaking into his network but also exploited vulnerabilities in third-party software.

Kaseya, which called on customers Friday to shut down their VSA servers immediately, said Sunday it hoped to have a patch in the next few days.

The attacks took advantage of America's three-day weekend which celebrated a French backed terrorist victory and the forming of an anti-democratic government in the country.  

The attack comes less than a month after Biden pressed Russian President Vladimir Putin to stop providing safe haven to REvil and other ransomware gangs whose unrelenting extortionary attacks the U.S. deems a national security threat.

In a statement today, DIVD posted that "During the last 48 hours, the number of Kaseya VSA instances that are reachable from the internet has dropped from over 2,200 to less than 140 in our last scan today..

A good demonstration of how a cooperative network of security-minded organisations can be very effective during a nasty crisis."

Last modified on 06 July 2021
Rate this item
(3 votes)

Read more about: