Notorious ransomware operator REvil has made the largest ransom demand of all time, demanding US$70 million (~AU$93.5 million at time of publication) to decrypt the 1,000-plus victims in the Kaseya ransomware attack.
CRN Australia has reported that five Australian MSPs were amongst the victims of the attack.
The offer to publicly provide a decryptor to all victims represents a shift in tactics for REvil, which up until now had been demanding separate smaller payments from each of the victims. REvil had until this point been demanding US$5 million from larger companies, US$500,000 from smaller firms with multiple locked file extensions, and US$45,000 from smaller companies where locked files have the same extension.
“On Friday (02.07.2021), we launched an attack on MSP providers,” REvil wrote on its dark web leak site late Sunday.
“More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is $70,000,000 BTC [Bitcoin] and we will publicly publish decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour.”
A universal decryptor would provide victims with an easier and faster path to recovery, and REvil is likely hoping that insurers see US$70 million as a small price to pay for eliminating some downtime, Emsisoft threat analyst Brett Callow told CRN US.
Meanwhile, Recorded Future’s Allan Liska said the offer from REvil suggests the ransomware gang is simply unable to cope with the sheer quantity of infected networks.
“This attack is a lot bigger than they expected and it is getting a lot of attention,” Liska told the Associated Press Sunday. “It is in REvil’s interest to end it quickly. This is a nightmare to manage.”
REvil encrypted the systems of more than 1,000 small businesses across at least 17 countries by compromising their MSPs through a vulnerability in Kaseya’s VSA remote monitoring and management tool.
Kaseya CEO Fred Voccola told the Associated Press Sunday that between 50 and 60 MSPs were compromised, while Sophos said Sunday it has evidence that the attack impacted more than 70 MSPs.
REvil’s $70 million ask in the Kaseya cyberattack is the largest-ever ransom demand to become publicly known, surpassing a US$50 million ransom demand in March also made by REvil after compromising Taiwanese PC giant Acer.
Last year, REvil wanted $42 million from celebrity law firm Grubman Shire Meiselas & Sacks, who counted Nicki Minaj, Mariah Carey and LeBron James among its clients.
Organisations have become increasingly willing to fork over multi-million-dollar ransoms in recent months, with Colonial Pipeline paying Darkside US$4.3 million in May with the hope of restoring operations on its 5,500-mile pipeline sooner.
US Federal authorities seized US$2.3 million of Colonial’s payment by reviewing the Bitcoin public ledger and identifying proceeds that had been transferred to a specific address.
Similarly, meatpacking giant JBS paid REvil US$11 million last month to shield the company’s meat plants from further disruption and limit the potential impact for restaurants, grocery stores and farmers, CEO Andre Nogueira said at the time.
A Kaseya spokesperson declined to comment on whether the company plans to pay the $70 million ransom demanded by REvil, citing the ongoing criminal investigation.
“It is absolutely the biggest non-nation-state supply-chain cyberattack that we’ve ever seen,” Liska told The Washington Post Friday. “And it’s probably the biggest ransomware attack we’ve seen, at least the biggest since WannaCry.”