The REvil ransomware gang is growing the ransom calls for for victims encrypted throughout Friday’s Kaseya ransomware assault.
When conducting an assault in opposition to a enterprise, ransomware gangs, similar to REvil, usually analysis a sufferer by analyzing stolen and public information for monetary data, cybersecurity insurance coverage insurance policies, and different data.
Utilizing this data, the variety of encrypted gadgets, and the quantity of stolen information, the risk actors will give you a high-ball ransom demand that they imagine, after negotiations, the sufferer can afford to pay.
Nonetheless, with Friday’s assault on Kaseya VSA servers, REvil focused the managed service suppliers and never their clients. Because of this, the risk actors couldn’t decide how a lot of a ransom they need to demand from the encrypted MSP clients.
As an answer, it appears the ransomware gang created a base ransom demand of $5 million for MSPs and a a lot smaller ransom of $44,999 for the MSP’s clients who had been encrypted.
It seems this $44 thousand quantity is irrelevant as in quite a few negotiation chats shared with and seen by BleepingComputer, the ransomware gang just isn’t honoring these preliminary ransom calls for.
When encrypting a sufferer’s community, REvil can use a number of encrypted file extensions through the assault. The risk actors usually present a decryptor that may decrypt all extensions on the community after a ransom is paid.
For victims of the Kaseya ransomware incident, REvil is doing issues otherwise and demanding between $40,000 and $45,000 per particular person encrypted file extension discovered on a sufferer’s community.
For one sufferer who said that they had over a dozen encrypted file extensions, the ransomware gang demanded a $500,000 ransom to decrypt the complete community.
Nonetheless, the excellent news is that the REvil representatives have informed victims that they solely encrypted networks, and nothing extra. Which means REvil seemingly didn’t steal any of the victims’ information, as they’re identified to make use of that as leverage in ransomware negotiations instantly.
This additionally signifies that the ransomware operation didn’t entry the sufferer’s networks earlier than the assault. As a substitute, they seemingly remotely exploited the Kaseya VSA vulnerability to distribute the encryptor and execute it on the sufferer’s gadgets.
For the reason that assaults on Friday, Kaseya has been working on releasing a patch for the zero-day vulnerability exploited within the REvil assault.
This zero-day was discovered by DIVD researchers who disclosed the t to Kaseya and serving to check the patch.
Sadly, REvil discovered the vulnerability concurrently and launched their attack on Friday earlier than the patch was prepared, simply in time for the US Fourth of July vacation weekend.
It’s believed that over 1,000 companies have been affected by the assault, together with attacks on the Swedish Coop supermarket chain, which needed to shut roughly 500 shops, a Swedish pharmacy chain, and the SJ transit system.
President Biden has directed US intelligence companies to analyze the assault however has not gone as far to state that the assaults originated from Russia.
The FBI additionally introduced right now that they’re investigating the incident and dealing carefully with CISA and different companies.
“The FBI is investigating the Kaseya ransomware incident and dealing carefully with CISA and different interagency companions to grasp the scope of the risk.”
“In case you imagine your methods have been compromised, we encourage you to make use of all advisable mitigations, follow Kaseya’s guidance to close down your VSA servers instantly and report back to the FBI at ic3.gov,” stated the FBI in a press statement.