A ransomware attack infected at least 200 companies on Friday. The victims are believed to be Swedish supermarket chain Coop, which was already forced to close nearly 800 stores in the country today after the company’s cash records were crippled by a cyber attack.
The hackers, who were linked by analysts from the security company Huntress Labs to the Russian cyber gang REvil, managed to encrypt the systems of their victims and demand a ransom to make the files available again. Small companies have to pay about 45,000 dollars (about 38,000 euros) and larger companies 5 million dollars.
Hackers gained access to all of these systems by breaking into VSA, a popular software package from Kaseya, which IT companies use to remotely manage their customers’ computer systems. Kaseya advises users to disable VSA servers immediately. The National Cyber Security Center in The Hague is also calling on Dutch users to do so.
White House sanctions
These types of “supply chain attacks” are on the rise, where trusted third-party software is misused to infect victims. In December, it was revealed that hackers had secretly managed to obtain an update to the widely used network monitoring package Orion from SolarWinds in previous months, to break into US government services, among other things. In this hack, it is assumed that the perpetrators were after classified information. In April, the White House imposed sanctions on six Russian technology companies allegedly involved in the hack on behalf of Russian intelligence services.
But this time, it seems that the culprits were only for the money. “This is one of the most extensive non-state attacks we’ve ever seen, and it looks like it’s just for the money,” Andrew Howard of Swiss security firm Kodelsky Security told Bloomberg.
Connected to this latest attack, REvil introduces Ransomware-as-a-Service, in which criminal clients rent encryption software, outsource the negotiation process, and pay their victims for a fee. The group is responsible, among other things, for the ransomware attack on JBS meat processor last May. That company paid about $11 million (9.3 million euros) to overhaul its systems after shutting down slaughterhouses in the United States and Australia, among other countries.
Russia turns a blind eye
During a meeting with his counterpart Vladimir Putin on June 16 in Geneva, US President Joe Biden mentioned the attack, among other things. The United States accuses Russia not only of regularly carrying out cyber attacks, such as attempts to influence the US elections or the SolarWinds attack, but also of disregarding the activities of criminal gangs such as REvil.
Biden warned in the lead-up to that meeting that “all options are on the table” when dealing with cyberattacks – including active hacking. In May, the servers were seized by the FBI and the ransom was paid by another Russian ransomware group, DarkSide. He had extorted, among other things, $4.4 million (more than 3.6 million euros) from Colonial Pipeline, an important fuel pipeline in the eastern United States, which had been shut down for several days due to a ransomware attack.
Read also Biden, Putin and the diplomatic dance of Russian hackers
After the summit, Putin denied that Russia plays a major role in ransomware attacks or other forms of hacking. Biden said he and Putin agreed to continue negotiations on a list of vital parts of US infrastructure that should never be used in cyber attacks.
It is not yet clear which companies were affected by the attack on Al-Kasiya. The scale of the attack is feared to increase dramatically in the coming days: Because of Independence Day, Americans are enjoying a long weekend, which means many businesses won’t start working again until Tuesday.