File picture: Pexels
File picture: Pexels

All you need to know about the Kaseya ransomware attack

By AFP Time of article published Jul 6, 2021

Share this article:

by Katy Lee / Yassine Khiri

A major cyberattack has potentially hit more than 1,000 companies worldwide, forcing a Swedish supermarket chain to shut hundreds of stores.

Hackers are demanding $70 million in bitcoin in exchange for data stolen in the ransomware attack against Miami-based IT company Kaseya.

But what exactly is a ransomware attack, and who is behind this one? Here are some key questions about the attack, which has paralysed businesses since Friday.

How bad is it?

Ciaran Martin, cybersecurity professor at the University of Oxford, said this was "probably the biggest ransomware attack of all time", although the full scale of the damage remains unclear.

Kaseya says only "a very small number" of its direct customers were affected.

But Kaseya's clients include many smaller companies which in turn provide IT support to other businesses.

Huntress Labs, a cybersecurity firm working with partners targeted in the attack, has said it believes more than 1,000 companies may have been hit overall.

Among them are Swedish supermarket Coop, which has been forced to close hundreds of stores over the past three days after the hack pushed its checkouts offline.

Hackers claiming responsibility for the attack said they had infected "more than a million systems".

Why attack Kaseya?

This was what is known as a "supply chain attack", allowing the hackers to strike a huge number of victims with a single blow.

Kaseya provides IT services for some 40,000 small and medium-sized businesses worldwide -- including smaller firms that manage the computers of other firms.

"It's using software that is used by many businesses in order to penetrate their networks," said French cybersecurity expert Loic Guezo, drawing a parallel with the spectacular attack against software firm SolarWinds last year.

Martin said that merging a supply chain attack with the motivation of extortion was new.

Most previous supply chain attacks, including SolarWinds, have been motivated by espionage, he said.

"Here, instead of getting that large-scale access to spy, they did it to deploy ransomware."

What's a ransomware attack?

Ransomware attacks typically involve locking away companies' or individuals' data using encryption, then making them pay to regain access.

Such digital hostage-taking is increasingly common. Last year alone, at least $18 billion was sent to hackers using ransomware, according to security firm Emsisoft.

"One of the things we've seen with ransomware over the past year or two is that the business model has got really sophisticated," Martin said.

"The hackers are researching targets and seeing if they've got insurance policies, so they can calculate what an affordable payout is."

Payments are usually demanded in cryptocurrency such as bitcoin, which helps perpetrators stay anonymous.

In this case the hackers are believed to be seeking ransoms of between $50,000 and $5 million from individual victims as well as the eye-catching $70 million lump sum, Martin said.

The United States has found itself a particular target of ransomware attacks in recent months, including against SolarWinds and the Colonial oil pipeline.

The FBI has blamed those attacks on Russia-based hackers, and US President Joe Biden raised the issue with his counterpart Vladimir Putin at their summit last month.

Moscow, suspected of turning a blind eye to the hackers or even encouraging them, denies any involvement.

Who's behind the Kaseya attack?

Numerous experts have pointed the finger at a Russian-speaking hacking group known as REvil.

The demand for $70 million was posted on Happy Blog, a site on the dark web previously associated with REvil, who are also known as Sodinokibi.

The FBI believes REvil were also behind last month's attack on global meat processing giant JBS, which ended with the Brazil-based company paying bitcoin worth $11 million to the hackers.

REvil, who first emerged around 2019, work as part of a collective, sometimes sharing both their ransomware and their loot with other hackers who take part in the same attack.

They are seen as among the most dangerous ransomware attackers out there, carrying out around 29 percent of such attacks in 2020, according to a recent report by IBM's Security X-Force unit.

That report estimated that REvil took ransoms worth at least $123 million in 2020.

Agence France-Presse

Share this article: