Over 1000 companies in MSP supply chain hit by REvil ransomware attack

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

A notorious cybercrime gang known as REvil could have pulled off the most significant ransomware attack the world has seen. The attack which occurred this weekend targeting managed service providers started by targeting an MSP software tool provider, Kaseya.

Some customers of Kaseya were hit by a compromised update package for users of Kaseya’s remote monitoring VSA platform. Because these customers were MSPs with numerous customers of their own, the infected numbers soon started multiplying. So, while the initial ransomware infection was limited to a few dozen Kaseya customers, the supply-chain nature of events meant that each of those initial 30-40 victims had the potential to infect many more.

It quickly became apparent that thousands of small businesses had been impacted and tens of thousands of systems locked down. One of the few positives here is that there does not appear to be any evidence of data being exfiltrated before the encryption took place, so organisations may not be facing that additional problem.

A posting by the REvil group to the dark web site it operates has claimed “more than a million systems were infected” by the “attack on MSP providers.”

“This is one of the farthest-reaching criminal ransomware attacks that Sophos has ever seen… At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company. Victims span a range of worldwide locations with most in the United States, Germany and Canada, and others in Australia, the U.K. and other regions.”

Ross McKerchar – Chief Information Security Officer, Sophos

REvil announced in the same dark web post that they will release a universal decryptor key for a price of just over £50 million ($70 million). This would unlock every system affected by the ransomware attack across the world.

President Biden has already said that initial thinking is that “it was not the Russian government,” but added that he wasn’t sure yet and U.S. intelligence agencies were being directed to investigate.

So, this could yet backfire for REvil, given that we are talking about a criminal gang here rather than a state-sponsored espionage group. Biden has been actively putting pressure on Russia, encouraging them to remove the safe-haven status for ransomware gangs such as Revil who enjoy a certain level of immunity from local law enforcement so long as they avoid domestic targets.

Considering that the majority of ransomware attacks begin with a phishing email, has your organisation taken the necessary precautions to effectively mitigate this threat? Find out in our Free Click-Prone® Test.