The recent Kaseya ransomware incident has shaken up the cybersecurity community, as well as the US government. With time, more details have surfaced online, the most notables one being the high ransomware demand of $70 million from REvil for a universal decryptor for victims. As Kaseya carries on with investigations, the firm highlight a zero-day exploit for the supply-chain attack.
REvil Demands $70 Million From Kaseya Ransomware Victims
Following the devastating ransomware attack on Kaseya, the firm urged all the customers to shut down VSA servers.
However, reports reveal that the damage was already done. While Kaseya initially estimated around 40 MSPs to have suffered the impact, it later turned out that the incident possibly impacted roughly 1500 businesses. This includes the customers served by the businesses that used Kaseya – hinting at an indirect effect too.
For instance, the Swedish supermarket chain Coop shut down its 500 stores in the wake of this incident. Although Coop didn’t use Kaseya services, one of their providers, Visma, did. Hence, they also suffered the impact since Visma faced direct damage.
According to Bleeping Computer, the attackers, REvil, have mentioned encrypting about a million systems during this attack on their site.
While the attackers initially demanded ransoms from individual victims, they later made a generous offer of publishing a decryptor publicly. However, for that, they put up the highest ever demand – $70 million in BTC.
Before this one, REvil sought the largest ransom of $50 million from Acer.
Kaseya Rules Out Malicious Update – Points Out Zero-Day Exploit
As Kaseya continues investigating the matter, they clarified that the supply-chain attack was not a result of a malicious update. The firm confirmed no change to the VSA codebase.
Instead, as revealed, what triggered the attack was a zero-day vulnerability.
Briefly, researchers from the Dutch Institute for Vulnerability Disclosure (DIVD) have previously reported the VSA server vulnerability to Kaseya in April. As per the limited disclosure, Kaseya was already in the middle of fixing the bug(s).
But, unfortunately, the attackers detected the vulnerabilities and exploited them before a fix could arrive. Hence, Kaseya had to shut down VSA servers.
For now, Kaseya has asked all the customers to abandon VSA servers until further notice.
As for the victims, the FBI has advised the following recommendations from Kaseya CISA for remediation, besides shutting down VSA servers.
