Russian Hacker Group, REvil, Commits One Of Its Largest U.S. Ransomware Attacks

The Russian hackers REvil, also known as Sodinokibi, undertook a large ransomware attack on Friday after breaching a Florida-based IT software company, Kaseya. The cybercriminals admitted their involvement via a message they posted onto their dark web blog, ironically called “Happy Blog.” There, they also mentioned that they have infected more than one million companies worldwide. Now, they are asking for $50 million in Bitcoin (originally it was $70 million). Once they receive the money, they said they would publish the universal decryptor that would let affected companies unlock their computers.

The Infrastructure Security Agency and the FBI have said that they are working together to monitor the situation.

Kaseya CEO Fred Voccola recorded a video of himself responding to the attack, delineating what happened, the facts and the steps that the company is taking to ensure its employees’ and customers’ safety.

Voccola said he understood how the breach had happened. REvil first gained access to Kaseya’s backend infrastructure and used it to send a malware message to VSA servers linked to clients at the company. The malware was then installed on each computer connected to the VSA server. Almost like in a domino effect, other companies that were connected to the VSA systems related to those at Kaseya became susceptible to the hack.

Kaseya sells its products to MSPs, or managed service providers, that, in turn, offer smaller businesses IT assistance. They manage to send software updates to those businesses, which might not otherwise have the resources to run those functions, through Kaseya’s VSA cloud platform. If that platform is damaged, though, clients are more susceptible to hacks and viruses in their computers.

As of Monday, VSA servers linked to Kaseya are still offline. 

“I know a lot of you have a lot of questions. But we are resourced for it right now. We have leveraged the right people in the world,” said Voccola in the video. “And we are looking forward to getting back to being your vendor of choice and to helping everybody here serve their customers and their IT departments.”

REvil is a cyber gang that came together in 2019. While there is no evidence that it is linked to any Russian government officials, the company is known to earn more than $100 million each year. It is believed it could not operate without the tacit consent of the Russian government. It targets large global companies and it usually demands to be paid in bitcoin. Apple, Acer, SolarWinds and Colonial Pipeline are among some of the big-name companies that this gang has targeted. 

Last month, JBS, one of the largest meat processing companies, paid REvil $11 million in bitcoin just to get their services going again.

President Joe Biden, who met with Russian President Vladimir Putin last month to discuss these kinds of cyberattacks and how the two countries can come together to fight them, has been criticized for offering vague responses to Putin about the ramifications that Russia might face from the U.S. for future attacks.

Biden says that he is not certain yet whether or not Russia is to blame.

Not only have Kaseya and those in its network been breached, but so have other public-sector organizations, like schools, travel agencies and even some accountants worldwide.

Data from a cybersecurity firm, CheckPoint Research, shows that over the past year, cyberattacks have increased by 93%. Usually, gangs like REvil wait for big holidays, like the Fourth of July, to launch their hacks.