US

Russian-speaking hackers claim major ransomware attack which has hit hundreds of US firms

Hackers who claim to be behind a mass ransomware attack that has affected hundreds of companies have demanded $70m in Bitcoin to restore the data.

The attack was executed on Friday and has affected at least 200 companies in the United States.

On Sunday, a ransom demand was posted on a blog typically used by the REvil gang, a major Russian-speaking ransomware syndicate.

President Joe Biden visits the store at King Orchards fruit farm Saturday, July 3, 2021, in Central Lake, Mich. (AP Photo/Alex Brandon)
Image:
President Joe Biden had previously said he could not rule out Russian involvement in the attack

The group said: “We launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70 000 000$ in BTC and we will publish publicly decryptor.”

The group has an affiliate structure, making it difficult to determine who speaks on the hackers’ behalf, but Allan Liska from cybersecurity firm Recorded Future said the message “almost certainly” came from REvil’s core leadership.

The ransomware attack was among the most dramatic in a series of increasingly attention-grabbing hacks.

The gang broke into Kaseya, a Miami-based information technology firm, and used their access to breach some of its clients’ clients, setting off a chain reaction that quickly paralyzed the computers of hundreds of firms worldwide.

More on Cyberattacks

Cybersecurity experts blamed REvil for the attack but the statement posted on Sunday was the group’s first public acknowledgement that it was behind it.

Mr Liska said he believed the hackers had bitten off more than they could chew.

“For all of their big talk on their blog, I think this got way out of hand and is a lot bigger than they expected,” he said.

US President Joe Biden said on Saturday that his government is not sure who was behind the attack but he did not rule out Russian involvement.

Experts believe the attack was deliberately timed to coincide with the 4 July holiday weekend, when fewer IT staff are traditionally on duty.

Such cyber attacks typically infiltrate widely used software and spread malware as it updates automatically.

It is not yet clear how many Kaseya customers might be affected or who they might be but the company has hired cybersecurity company FireEye to help deal with the fallout.