While many have been enjoying their holiday weekend, a massive ransomware attack paralyzed the networks of thousands of businesses worldwide. The Russian group, REvil, is responsible for this massive attack, which many suspect is the largest ransomware attack on record. Keep reading for everything you need to know.
Who is REvil?
REvil is a notorious cybercrime gang that has been around since April 2019. You may remember their recent ransomware attack on JBS, the world’s largest meat processing company. They are unique in that they provide “ransomware-as-a-service”. This means they develop the ransomware software and then lease it out to ‘affiliates’ to use, while making a share of the ransoms.
The ransomware attack started Friday, July 2. Many speculate that the timing was very intentional – noting it happened before the Fourth of July holiday weekend, when many IT staff are away on vacation.
The cyber criminals targeted a software supplier called Kaseya through a vulnerability in the update mechanism used by the IT services company. Kaseya was aware of the vulnerability and was working diligently to patch it. Unfortunately, REvil was able to take advantage of the vulnerability before Kaseya was able to issue the fix.
The ransomware got in through the vulnerability and then spread using Kaseya’s trusted distribution mechanism. Once the malware had infected Kaseya infrastructure, the malware could then infect all of Kaseya’s customers inadvertently.
The ransomware was able to do this by running a series of commands to hide the malicious activity from Microsoft Defender, the built-in antivirus software on Windows computers. This allowed the malware to sneak past the ongoing antivirus protection and start encrypting files on the victim’s computer.
FixMeTip: this is why having antivirus is important but you should run FixMeStick at least once a month as a second line of defense. Because it starts before your system boots, it is able to remove infections that won’t come off while your system is running.
REvil took it one step farther and even executed code to make it more difficult for victims to recover data from data backups. This is why here at FixMeStick, we recommend backing up your computer to an external hard drive that is stored ‘offline’ so no viruses or hackers can get their hands on it.
A wide range of services across the globe were affected, including the Swedish grocery store chain “Coop” who had to close stores for a 2nd straight day due to their cash registers being down.
Kaseya issued a statement urging customers to immediately shut down any services running the affected software, in hopes of stopping the spread.
CISA, the US Cybersecurity and Infrastructure Security Agency, is closely monitoring the situation and working with the FBI to collect more information.
As for the infected computers, REvil is asking for $70 million in ransom to provide the global decryptor key. This is the highest ransom demanded to date, beating the previous REvil request of $50 million after attacking the computer brand, Acer.
This story is still developing so check back to learn more or join our newsletter list to keep up-to-date on all things related to your cybersecurity. Click here to subscribe today!
Update as of July 14, 2021:
The REvil ransomware websites have all gone dark. The blog and payment portal are also closed. People are speculating that the group has been kicked offline. While it is unclear why or by who, we’ll keep an eye of this developing story. You can read more about this development HERE.