REvil Gang, Possible Culprit of the Ransomware Attack that Affected 200 U.S. Businesses

A cybersecurity attack took over U.S. businesses on Friday. Huntress Labs, a cybersecurity company, had warned the country beforehand of ransomware to come up within the long weekend, which might have a severe impact on hundreds of American businesses. On July 2, 2021, they had stated that 200 American businesses were at the end of the attack after an incident that occurred at the IT firm “Kaseya,” Miami. The new threat is potentially the latest in a line of hacks affecting US companies. 

As per the security firm’s investigation, the REvil gang, a major Russian-speaking ransomware syndicate, is behind all the attacks. Till now, it has been reported that the criminal gang’s target was “Kaseya,” a Miami-based software supplier whose network-management package was used to spread the ransomware via cloud-service providers.

The criminal gang is known to be active since April 2019. It provides ransomware-as-a-service wherein they develop network-paralyzing software and lease it to their affiliates, thus, infecting targets and earning the lion’s share of ransoms. Their job is to steal data from their targets, after which ransomware is activated to strengthen the extortion efforts. The average ransom payment received by the group last year was about half a million dollars. 

Kaseya, the firm affected, is a huge enterprise dealing with small businesses globally, and so experts are worried that the virus has the potential to spread in a big size. It might even lead to a colossal and devastating supply chain mainly because such cyberattacks infiltrate popular software and spread malware through automatic updates. It is yet unclear how many Kaseya customers have been affected and who they are. The company has urged on its websites for its customers to immediately shut down their servers running the affected software. 

The federal Cybersecurity and Infrastructure Security Agency (CISA) put out a statement claiming that it will closely be monitoring the situation and working with the FBI to know more about the attack and its subsequent impact. CISA urged people affected that they should without fail to follow Kaseya’s guidelines on shutting down VSA servers.

Brian Honan (Irish Cybersecurity Consultant) said by email that the ransomware attack is a classic case of supply and chain where criminals compromise a trusted supplier of companies to abuse their consumers. It is easy to accomplish this task as small businesses are unlikely to have the ability to fend themselves off with their reliance on the security of their suppliers and their software.  Williams from Rendition Infosec claimed that the only positive side of the attack is that not many customers have Kaseya on all their machines, which makes it hard for the attackers to move all over the organization’s computer systems. He was optimistic that this development might lead to an easy recovery.