REvil ransomware gang demanded $70M for universal decryptor for Kaseya victims

REvil ransomware is demanding $70 million for decrypting all systems locked during the Kaseya supply-chain ransomware attack.

REvil ransomware is asking $70 million worth of Bitcoin for decrypting all systems impacted in the Kaseya supply-chain ransomware attack.

On Friday the REvil ransomware gang hit the Kaseya cloud-based MSP platform impacting MSPs and their customers.

The REvil ransomware operators initially compromised the Kaseya VSA’s infrastructure, then pushed out malicious updates for VSA on-premise servers to deploy ransomware on enterprise networks.

The investigation is still ongoing, according to security firm Huntress Labs at least 1000 organizations have been impacted, making this incident, one of the largest ransomware attacks in history.

The situation could be worse, according to a message shared by the group on its leak site, the gang claims to have encrypted files on more than a million systems and offers a way out for a universal descriptor.

“On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70 000 000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour. If you are interested in such deal – contact us using victims “readme” file instructions.” reads the message on its leak site.

REvil ransomware initially asked the owners of endpoints infected in this campaign 44,999 USD in Bitcoin, but now it seems to be interested to close the game with a single huge ransom of $70 million.

Bleeping computer pointed out that the group used multiple extensions when encrypting the files and that it is requesting 44,999 USD only for one of them.

“For victims with locked files that have multiple extensions following the REvil ransomware encryption, the gang’s demand can be as high as $500,000, BleepingComputer learned.” reported BleepingComputer.

The ransomware gang exploited a zero-day vulnerability in Kaseya VSA servers, tracked as CVE-2021-30116, that was discovered by The Dutch Institute for Vulnerability Disclosure (DIVD) and reported to the company.

Kaseya was validating the patch before they rolled it out to customers but REvil ransomware operators exploited the flaw in the massive supply chain ransomware attack.

“From our side, we would like to mention Kaseya has been very cooperative. Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions. Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. They showed a genuine commitment to do the right thing.” states an update provided by the Dutch Institute for Vulnerability Disclosure (DIVD). “Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”

US authorities are investigating the incident and U.S. President Biden is urging them into providing a clear picture of what has happened.

Below my interview on the Case:

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Kaseya)

[adrotate banner=”5″]

[adrotate banner=”13″]