Following their exploitation of Kaseya’s 0-day vulnerability, REvil ransomware gang is now demanding a $70 million ransomware payment, as reported by The Record. If honoured, this would be the highest ransomware ever paid, or demanded, for that matter.
The cybercriminals came forward and took responsibility for the attacks, claiming that they had locked more than a million systems during the hack. The blog post also demanded the $70 million ransom in Bitcoin for a universal encryptor that’ll recover all files in less than an hour, as claimed by the gang.
Ransomware demands have been reaching new limits recently. Previously, the CNA Insurance ransomware was the highest ever, coming in at $40 million, which was then topped by the ransomware attack on Acer, priced at $50 million.
Thousands of businesses are hit
According to a report by BleepingComputer, during the attack of Kaseya servers, REvil targeted MSPs and not their customers. This led to the attackers scrambling more data than they could handle and changed their ransom amount from the previously demanded $5 million.
REvil encrypted files on the victim’s machines using multiple individual encrypted file extensions. Now the gang is demanding between $40,000 to $45,000 per individual encrypted file extension. One victim who had over a dozen different encrypted file extensions on their network were asked to pay a $500,000 ransom to decrypt the entire network.
As Kaseya scrambles to make a patch that can fix this issue and get their services back up and running, it is estimated that over a thousand businesses are caught in the crossfire. These include the Swedish supermarket chain Coop, which had to close approximately 800 stores, the SJ transit system and a Swedish pharmacy chain.
Kaseya themselves deferred an announcement regarding the restoration of their SaaS services, stating that “to best minimise customer risk, more time was needed before we brought the data centres back online”, as reported by The Record.
US President Joe Biden has ordered US intelligence to investigate the incident but hasn’t yet explicitly stated any origin of the attack. The FBI released a statement saying that they are investigating the incident with the CISA and other interagency partners on Sunday.
“If you feel your systems have been compromised as a result of the Kaseya ransomware incident, we encourage you to employ all recommended mitigations, follow guidance from Kaseya and the Cybersecurity and Infrastructure Security Agency (CISA) to shut down your VSA servers immediately, and report your compromise to the FBI at ic3.gov,” FBI said in a statement. “Due to the potential scale of this incident, the FBI and CISA may be unable to respond to each victim individually, but all information we receive will be useful in countering this threat.”