Russian-connected Hackers REvil Demand $70M to end Biggest Ransomware Attack on Record

Cybersecurity teams are working feverishly to stem the impact of the single biggest global ransomware attack that played out over the Fourth of July weekend on record, with some details emerging about how the Russia-linked hacker gang ‘REvil’ behind it breached the company whose software was the conduit. The gang now says it has locked more than a million individual devices and is demanding $70 million in bitcoin to set them all free in one swoop.

REvil, also known as Sodinokibi, is a notorious cybercriminal gang that has used ransomware to go after big-name companies, including Apple and Acer. Most recently, it targeted JBS, the world’s largest meat processing company, briefly halting its operations across much of North America and paid $11 million in bitcoin to mitigate the fallout from the attack and protect its data. But this attack’s potential scope is unprecedented, some cybersecurity experts said.

REvil began its spree Friday by compromising Kaseya, a software company that helps companies manage basic software updates. Because many of Kaseya’s customers are companies that manage internet services for other businesses, the number of victims grew quickly. Instead of locking an individual organization, as ransomware gangs usually do, REvil locked each victim computer as a standalone target and initially asked for $45,000 to unlock each one.

President Joe Biden told reporters Sunday that he has “directed the full resources” of the government toward investigating the problem. The Swedish grocery chain Coop is the largest known victim; it closed most of its about 800 stores all day Saturday. Its registers were controlled online by Visma Esscom, a Kaseya customer, and locked up and rendered unusable.

Exactly how many systems have been infected is unknown, although the number is likely to be sizable. The cybersecurity firm Huntress, which is helping Kaseya’s response, said it was aware of more than 1,000 businesses that had been affected.

REvil’s claim that it has compromised more than a million devices is impossible to prove, because few victims are speaking publicly and no government or company has a database of everyone who was hit. But that number is plausible, said Mikko Hypponen, a researcher at the cybersecurity company F-Secure, given that this strain of ransomware infects each device individually.

“Think about a retail chain, like grocery retail,” Hypponen⁩ said. “Every single cashier system is an endpoint. Every laptop. Everybody in the sales has a system, multiple servers. Two hundred stores, 300 stores, they alone would have thousands of endpoints. And if a thousand Coop-like companies were infected, yes, you would have a million endpoints.”

Regardless of the actual number of victims, it’s extremely difficult to imagine victims banding together to jointly pay $70 million, said Allan Liska, an analyst at the cybersecurity firm Recorded Future. “Despite the braggadocio in their note, I actually think it is actually a sign they are overwhelmed. A million victims that each paid $45,000 would yield $45 billion. They are lowballing themselves at $70 million,” he said