Over the weekend, U.S. IT firm Kaseya was targeted by ransomware group REvil, which claimed that it had infected over one million systems with ransomware belonging to the company and its customers. Considering Kesaya provides software to other firms, which then outsource it to their respective customers, the full extent of the attack is currently unknown. The organization claims that fewer than 40 of its customers are affected, but the total number via indirect links affected because the ransomware spread through corporate networks is expected to potentially be in the thousands.
Now, REvil has demanded $70 million in Bitcoin in exchange for a "universal decryptor" that will allow any affected organization to retrieve their encrypted data.
Kaseya's VSA server was used as the attack surface last Friday, with the company issuing notices to customers to immediately shut down the product in order to restrict the propagation of malicious software. Over the weekend, the IT firm's own incident response team worked with cybersecurity partners around the globe to contain the damage and mitigate vulnerabilities in its software. That said, the advisory still states that on-premises VSA servers should remain offline and that a patch will need to be applied before they are restarted.
While there have been some reports from affected companies that the ransomware notice on their respective systems is demanding up to $5 million in Monero - with the ask being doubled if not paid by the deadline - the BBC has reported that the malicious group is also offering a "universal decryptor" in exchange for $70 million in Bitcoin. The group says that this will allow all affected companies to decrypt their files and restore access to their systems in less than an hour.
The demand for the ransom to be paid in a relatively more traceable cryptocurrency like Bitcoin is ballsy, to say the least. We already know that the U.S. Department of Justice (DoJ) seized $2.3 million in Bitcoin in transit to another hacking group, DarkSide, less than a month ago. At that time, even the FBI issued a statement warning malicious actors that no place they utilize to store their funds is beyond its reach.
That said, given the fact that REvil is reportedly demanding ransom from individual targets in Monero but, in parallel, is also demanding $70 million in Bitcoin for a universal decryptor suggests that this is more of a publicity stunt. More credence can be given to this theory considering the low probability that anyone will take REvil up on its offer. We will let you know as the situation develops.