Search

Gang behind huge cyber-attack demands $70m in Bitcoin

The gang behind a "colossal" ransomware attack has demanded $70m (£50.5m) paid in Bitcoin in return for a "universal decryptor" that it says will unlock the files of all victims.

BBC have reported that the REvil group claims its malware, which initially targeted US IT firm Kaseya, has hit a staggering one million "systems".


The exact number of victims has not been verified and is currently unknown.


However, what they do know is, it includes 500 Swedish Coop supermarkets and 11 schools in New Zealand.


Alongside, Two Dutch IT firms who have also been hit, according to local media reports.


Last week, cyber-security firm Huntress Labs estimated about 200 firms had been affected.

The "supply chain" attack initially targeted Kaseya, before spreading through corporate networks that use its software.


Kaseya said that fewer than 40 of its own customers had been affected.

But because Kaseya provides software to managed service providers, firms which themselves provide outsourced IT services to other companies, the number of victims may be much greater.


And the number of individual computer systems within those victim organisations could be greater still.

Kaseya said that fewer than 40 of its own customers had been affected.

But because Kaseya provides software to managed service providers, firms which themselves provide outsourced IT services to other companies, the number of victims may be much greater.


And the number of individual computer systems within those victim organisations could be greater still.


Prof Ciaran Martin, founder of the National Cyber Security Centre, told Radio 4's Today programme.

"The scale and sophistication of this global crime is rare, if not unprecedented,"

Most of REvil's members are believed to be based in Russia or countries that were formerly part of the Soviet Union.


Prof Martin criticised Russia for providing a safe environment for ransomware hackers, but said that the West was making it too easy for these gangs to be paid and

"unsurprisingly they are coming back for more".

Experts also have expressed surprise at the group's demand that the ransom should be paid in 'traceable' Bitcoin, as opposed to harder-to-trace cryptocurrencies such as Monero.


Tom Robinson, founder and chief scientist of the firm Elliptic, which analyses bitcoin payments, had observed REvil continuing to negotiate with individual customers for smaller ransoms of about $200,000, despite the $70m request to unlock everything.


He said REvil preferred to use Monero, but it would be difficult to purchase $70m of the currency for practical and regulatory reasons.


But he said: "More and more ransomware operators are asking for Monero."

NCSC Official Statement on Kaseya cyber incident


An NCSC spokesperson said:

“We are actively working to fully understand this incident and mitigate potential risks to the UK.
“At this stage we have seen evidence of a limited impact to UK organisations, though our work is ongoing and we remain vigilant to any threats.
“We encourage Kaseya customers to read the company’s incident update page, which recommends that people who have been affected do not click on any links emailed to them by the attackers as they could be malicious.”

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).


The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.

 

EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.