REvil, a ransomware group, is said to have infected over 1 million computers with malware through a network-management package provided by a global remote software supplier known as Kaseya. The group is now demanding $70 million in Bitcoin from 200 US firms as ransom to unlock infected machines.
REvil announced on Happy Blog dark website that it had infected more than one million machines around the globe with malware. The group added that it would unlock all machines infected for a total of $70 million although it was negotiating individual ransoms of up to $5 million.
“If anyone wants to negotiate about universal decryptor, our price is $70,000,000 in BTC and we will publish publicly decryptor that decrypts files on all victims, so everyone will be able to recover from attack in less than an hour,” read part of the blog post from the group.
This makes it the largest ransomware attack on IT systems. In response to the event, US President Joe Biden has asked the FBI to investigate and warned Russia of dire consequences if found to be involved. The attack coincided with the July 4 holiday weekend when companies had fewer workers on duty and unable to respond.
On the list of those affected include IT systems in Sweden and Netherlands. Although only a few of Kaseya customers have been affected directly, the attack has brought down many IT systems in 17 countries through knock-on effects. John Hammond, a senior security researcher at Huntress Labs said that REvil attacked managed service providers with over 1000 endpoints through Kaseya’s tech and that the attack was “colossal and devastating.” He said when the providers were hit, the effects then spread to all of its customers.
REvil attacked Colonial Pipeline company in May and forced the company to pay a $5 million ransom to remove restrictions on its services. Another company, JBS Holdings also paid an $11 million ransom on May 30 when REvil struck against its systems.
After receiving the ransomware in 301 Bitcoins from JBS, REvil then used coin-mixing techniques to hide the transaction source and track. It split the transaction and sent the amount to about 221 addresses according to blockchain firm, Coinfirm. The mixing makes manual analysis time-consuming and vulnerable to errors.