White House rebukes ransomware gang as number of apparent REvil victims remains uncertain
The White House responded to Russia-based ransomware group REvil’s most recent attack against a U.S. company with a promise to take on cybercriminals if the Kremlin will not.
“As the president made clear to President Putin when they met, if the Russian government cannot or will not take action against criminal actors in Russia we will take action or reserve the right,” White House Press Secretary Jen Psaki said Tuesday when asked about a major data breach at Florida-based IT software firm Kaseya.
Psaki noted that the U.S. intelligence community has not attributed the attack on Kaseya to the REvil group. However the recent hack — in which hundreds of businesses were affected, according to the company — adds to escalating tensions with Russia over its apparent willingness to tolerate ransomware gangs. Psaki said that the White House will meet with high-level Russian officials to discuss ransomware attacks next week.
Psaki also said that the Biden administration will on Wednesday convene an interagency group to discuss the spike in attacks.
Kaseya has estimated the number of affected companies at somewhere between 800 and 1,500. Among the victims are New Zealand schools, international textile company Miroglio Group and Swedish grocery store chain COOP. The exact number of organizations ensnared in the attack is currently unknown, putting both the U.S. government and private sector first-responders at unease over the potential fallout of the massive attack.
The attackers have demanded $70 million in ransom and claimed to have infected over a million devices. Even with the ransomware attack hitting some larger companies, the hackers’ claims of over a million devices is likely exaggerated, Huntress Labs CEO Kyle Hanslovan said in a webinar on Tuesday.
The number of victims could very well number closer to 2,000 and is likely a minimum of 1,500 companies, said Hanslovan. Sophos Labs has identified 145 victims in the United States, including local and state agencies, governments and small and medium-sized businesses.
Because Kaseya supports IT service providers, it’s hard to estimate what the downstream impact of the attack on Kaseya’s clients might be.
“It makes the victimology a little complex,” says Aryeh Goretsky, a researcher at cybersecurity firm ESET. “What’s the impact to their downstream customers? And that is something I don’t have a good handle on yet. I don’t think anyone does.”
Hackers also claimed to have stolen data from victims, though so far neither researchers at Huntress or Sophos have found any evidence supporting those allegations.
This is the second major ransomware attack by REvil in as many months. In June the FBI blamed the group for a ransomware attack on global meat supplier JBS.
This attack, coincided with the Fourth of July weekend, was less targeted than previous attacks by REvil and its affiliates, researchers say. It’s not clear if the group has the resources to collect on all its alleged victims, which could be one reason why the group is asking for $70 million in cryptocurrency to offer a mass decryption tool to all victims.
Sean Gallagher, a senior threat researcher at Sophos, theorizes that the Kaseya attack may have had less to do with the bottom line than showing off the group’s strength in light of attacks by the U.S. government and the crumbling of other ransomware-as-a-service groups.
“They’re pissed off at Joe Biden because he went and made this whole topic of ransomware a topic with Vladimir Putin,” said Gallagher. “This was about delivering a message more than it was about making money.”
“This is a big flip the bird to the U.S.,” he added.
Kaseya is expected to bring its cloud services back online Tuesday and offer patches to on-premise servers within 24 hours of that step.