A massive cyberattack has hit hundreds of US businesses and several government agencies, disrupting their operations and exposing their data. The attack, which was first reported on Friday, July 3, 2023, is believed to be carried out by a Russian-linked ransomware group called REvil.
What is ransomware and how does it work?
Ransomware is a type of malicious software that encrypts the victim’s files and demands a payment to restore access. The attackers usually threaten to delete the data or publish it online if the ransom is not paid. Ransomware attacks have become more frequent and sophisticated in recent years, targeting various sectors such as healthcare, education, finance, and energy.
How did the attack happen and who was affected?
The attack targeted a Florida-based IT company called Kaseya, which provides software solutions to manage and monitor networks of computers and devices. The attackers exploited a vulnerability in one of Kaseya’s applications called VSA, which runs on corporate servers, desktop computers, and network devices. The attackers then used the compromised VSA servers to distribute ransomware to Kaseya’s customers, which include small and medium-sized businesses across various industries.
According to Kaseya, about 50 of its direct customers were affected by the attack, but the number of downstream victims could be much higher. Huntress Labs, a cyber-security firm that has been tracking the incident, said it had identified more than 200 businesses that had been infected by the ransomware. Some of the affected businesses include dental offices, accounting firms, travel agencies, and supermarkets.
The attack also impacted several government agencies in Louisiana and Oregon, exposing the personal data of millions of residents. In Louisiana, anyone with a driver’s license or state ID card was affected by the breach. In Oregon, 3.5 million people with driver’s licenses or state ID cards had their data compromised.
What are the attackers demanding and how are the victims responding?
The attackers are demanding different amounts of ransom from different victims, depending on the size and nature of their business. Some victims have received demands ranging from $45,000 to $5 million in cryptocurrency. The attackers have also offered a universal decryption key for $70 million that would unlock all the affected systems.
Some of the victims have reportedly paid the ransom to restore their operations and data. Others have refused to pay and are trying to recover their systems using backups or other methods. Kaseya said it was working with external cyber-security experts and law enforcement agencies to investigate and resolve the issue. The company also advised its customers to shut down their VSA servers until a patch is available.
How are the authorities reacting and what are the implications?
The US Cybersecurity and Infrastructure Security Agency (CISA), a federal agency that oversees the nation’s cyber-defenses, said it was taking action to address the attack. CISA said it was working with Kaseya, other federal agencies, and private sector partners to provide guidance and assistance to the affected entities.
The attack has raised concerns about the vulnerability of US businesses and government agencies to cyber threats from foreign adversaries. The attack comes just weeks after US President Joe Biden met with Russian President Vladimir Putin in Geneva and discussed the issue of cyber-security. Biden said he gave Putin a list of 16 critical infrastructure sectors that should not be subject to hacking and warned him of consequences if Russia violated the norms.
However, the latest attack shows that Russia-linked cyber-criminals are still active and capable of launching large-scale attacks on US targets. The attack also demonstrates the challenges of defending against supply chain attacks, which exploit trusted third-party vendors to compromise multiple organizations at once.
The attack could have significant economic and security implications for the US and its allies. The attack could disrupt essential services, damage customer trust, expose sensitive information, and cost millions of dollars in recovery efforts. The attack could also escalate tensions between the US and Russia and increase pressure on both sides to cooperate or confront each other on cyber issues.