REvil ransomware group strikes again with attack on hundreds of companies right before long holiday weekend

Alejandro Mayorkas
Homeland Security secretary Alejandro Mayorkas speaks speaks at a White House press briefing on March 1, 2021. AP Photo/Andrew Harnik
  • Russian-based REvil launched a ransomware attack on Friday that may have impacted hundreds of companies.
  • The group targeted IT management software provider Kaseya VSA in what’s known as a supply-chain attack.
  • REvil most recently attacked meat supplier JBS and received an $11 million payment from the company.
  • See more stories on Insider’s business page.

Just ahead of the long holiday weekend in the US, Russian-based REvil launched a ransomware attack that could have impacted hundreds of companies.

In what’s being called the “largest and most significant” ransomware attack to date by Emsisoft threat analyst Brett Callow, REvil targeted IT management software provider Kaseya VSA in what’s known as a supply-chain attack.

The attack on Kaseya has appeared to spread to hundreds of its end users, but given the timing of the attack, the full extent of the damage may not be known until next Tuesday as employees return to the office following the long 4th of July weekend.

REvil, which is a Russian-linked criminal ransomware-as-a-service organization, most recently attacked meat supplier JBS, which ultimately paid $11 million to get its processing plants back online.

After learning of the attack on Friday, Kaseya shut down its servers and began warning its customers, according to a company statement.

“While our early indicators suggested that only a very small number of on-premises customers were affected, we took a conservative approach in shutting down the SaaS servers to ensure we protected our more than 36,000 customers to the best of our ability,” the company said, adding that it believes fewer than 40 of its customers were affected.

But many of Kaseya’s customers are service providers that in-turn have hundreds of customers who could have been infected with the ransomware attack.

“This is SolarWinds, but with ransomware. When a single MSP is compromised, it can impact hundreds of end users. And in this case it seems that multiple MSPs have been compromised,” Callow told Wired.

While the US government strongly discourages businesses from paying the ransom demands, many businesses have no choice as the encrypted data is essential to keep operations running. The hackers honor the terms of their ransom, as they want to build credibility that paying the fee will in fact get their data back.

The US Cybersecurity and Infrastructure Security Agency said on Twitter it is “taking action to understand and address the supply-chain ransomware attack” against Kaseya VSA.

Al Saikali, partner at law firm Shook, Hardy & Bacon LLP, told The Wall Street Journal that ransom demands in six Kaseya-related attacks it is consulting on range from $25,000 to $150,000. But for large service providers impacted by the attack, the ransom demands have been as high as $5 million.

Assuming REvil’s ransomware attack has compromised hundreds of companies, now the question is “how many simultaneous negotiations REvil can handle and whether companies that want to pay may face delays,” according to Callow.