A "Russia-linked" hacking group known as REvil has compromised over 200 US-based businesses in an ongoing ransomware hack attack, Maryland-based cybersecurity company Huntress Labs has reported, citing an internal threat analysis.
Our team is tracking a critical #ransomware incident affecting MSPs and their customers, which appears to be a #KaseyaVSA supply chain attack. Follow our latest updates and threat intel on Reddit: https://t.co/d0hWMrRM28 pic.twitter.com/MeI7eKShel— Huntress (@HuntressLabs) July 2, 2021
The hacks are said to be targeting managed service providers (MSPs) which deliver IT support to small and medium-sized businesses, with the attacks said to enable the evildoers to access these companies’ networks and demand ransoms by threatening to shut down systems.
Sources said to be familiar with the attacks told Bloomberg that Synnex Corp and Avtex LLC were among the MSPs targeted. Avtex president George Demou suggested that “hundreds” of MSPs may have been attacked in what he dubbed to be a “Global Supply Chain hack.” The official added that the company was now “working with” customers who were impacted.
A Huntress Labs representative said the company’s information showed that at least eight MSP partners had been affected, and warned that the estimated figures on 200 victims are expected to “significantly rise” as additional compromised MSPs are discovered.
Some of the ransomware victims have reportedly been asked to provide cash payments starting at $45,000 to get their services back online.
The US Cybersecurity and Infrastructure Security Agency (CISA) confirmed that it is aware of the hacks, releasing a statement saying that it is “taking action to understand and address the recent supply-chain ransomware attack against Kaseya VSA [a software developer used by MSPs] and the MSPs that employ VSA software.”
REvil is the same hacking collective blamed for May’s ransomware attack on the US operations of JBS SA, a major Brazilian meat processing company. That company said it was forced to pay $11 million by the hackers.
Before that, the group reportedly targeted Apple, Acer, the Texas government, a New York-based law firm, a London-based multi-academy trust, and US-based energy company Invenergy. The group also reportedly attempted to blackmail Donald Trump and the singers Lady Gaga and Madonna.
Government investigators and security companies have yet to provide substantiated evidence that REvil is in fact "Russia-linked" or "Russia-based," as US media have typically portrayed it to be. The argument that it’s Russia is based on code said to be baked into the malware which checks computer systems’ language settings to check if it’s set to Russian or the language of one of the other Commonwealth of Independent States countries (which besides Russia include Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, and Uzbekistan).
The United States and its allies have spent years accusing Russia, its intelligence agencies or malevolent actors based in the Eastern European country of a broad range of hacking activities – from alleged attacks targeting the 2016 election, to claims of Russian schemes to shut off critical infrastructure, to allegations that Russian actors sought to hack US and British research into coronavirus vaccines.
In almost every instance, the US has failed to provide substantive proof of Russia’s alleged malevolent activities. Nevertheless, the hacking allegations have regularly served as the basis for new sanctions against Moscow.
Russia has repeatedly proposed expanding cooperation with the US and other countries in the field of cybersecurity and cybercrime. Last month, at their summit in Geneva, Presidents Putin and Biden reportedly agreed to discuss the issue seriously. Last week, Russian Ambassador to the United States Anatoly Antonov confirmed that the “first contacts” on cooperation in this sphere have recently taken place, but added that it would “take some time to get some serious results.”