A ransomware attack on Friday may have affected more than 1,000 companies in several countries. Among the victims is presumably the Swedish supermarket chain Coop, which are already closed today had to close about eight hundred stores in the country, after the company’s cash registers were paralyzed by a cyber attack. The Dutch company VelzArt in Waardenburg, which provides ICT services to SMEs, was also affected. as reported in a blog.
The hackers, identified by analysts at security company Huntress Labs are linked to the Russian cyber gang REvil, managed to encrypt their victims’ systems, and make ransom demands to make the files available again. Small companies would have to pay about 45,000 dollars (about 38,000 euros), larger companies 5 million.
The hackers gained access to all those systems by breaking into VSA, a popular software package from the company Kaseya, which IT companies use to remotely manage their customers’ computer systems. Kaseya advises users to disable VSA servers immediately. It National Cyber Security Center in The Hague also calls on Dutch users to do so.
White House Sanctions
These types of ‘supply chain attacks’, in which software from a trusted third party is misused to penetrate victims, are on the rise. In December, it came to light that hackers had secretly managed to piggyback on an update of the widely used network monitoring package Orion from the company SolarWinds in the previous months, to break into US government services, among others. In that hack, the perpetrators were presumably after confidential information. In April, the White House imposed sanctions on six Russian tech companies allegedly involved in the break-in on behalf of Russian intelligence services.
This time, however, it seems that the perpetrators were purely for money. “This is one of the most sweeping non-state attacks we’ve ever seen, and it appears to be purely for money,” Andrew Howard of Swiss security firm Kudelski Security told IPS. Bloomberg.
Associated with this latest attack, REvil offers Ransomware-as-a-Service, where criminal clients rent the encryption software and outsource the settlement of negotiations and payment by their victims for a fee. The group is held responsible, among other things, for the ransomware attack on meat processor JBS last May. That company paid about 11 million dollars (9.3 million euros) for the restoration of its systems, after slaughterhouses in the United States and Australia, among others, were shut down.
Russia turns a blind eye
During a meeting with his counterpart Vladimir Putin on June 16 in Geneva, US President Joe Biden mentioned the attack, among other things. The United States accuses Russia not only of regularly carrying out cyber attacks, such as in attempts to influence the American elections or the SolarWinds attack, but also of turning a blind eye to the activities of criminal gangs such as REvil.
Biden warned in the run-up to that meeting that “all options are on the table” when dealing with cyberattacks — including active hacking back. In May, the FBI seized the servers and much of the ransom paid by another Russian ransomware group, DarkSide. He had, among other things, extorted 4.4 million dollars (more than 3.6 million euros) from Colonial Pipeline, a crucial fuel pipeline in the eastern United States, which had been shut down for days due to a ransomware attack.
Read also Biden, Putin and the diplomatic dance for the Russian hackers
After the summit, Putin denied that Russia is playing a major role in the ransomware attacks or other forms of hacking. Biden said he had agreed with Putin to continue negotiations on a list of vital pieces of US infrastructure that should never be used for cyber-attacks.
It is not yet clear which companies were affected by the attack on Kaseya. It is feared that the scale of the attack will increase considerably in the coming days: because of Independence Day, Americans have a long weekend, which means that many companies will not start up again until Tuesday.
Update (July 3, 2021): This post was updated on Saturday evening.