President Joe Biden suggested that Saturday, the U.S. would reply if it was found that the Kremlin was involved. He stated that he had asked intelligence to conduct a deep dive into what transpired.This attack comes less than one month after Biden asked Vladimir Putin to end his safe haven for REvil and other ransomware groups whose relentless extortionary attacks are deemed a national security risk by the U.S.According to cybersecurity firm Sophos, the attack affected a wide range of public and private agencies, as well as businesses in financial services and travel and leisure. Ransomware criminals hack into networks and spread malware that disables networks by scrambling all data. When victims pay up, they get a decoder code.Coop, a Swedish grocery chain, announced that most of its 800 stores will be closed on Sunday due to the loss of their cash register software supplier. The state railway, Swedish pharmacy chain, and gas station chain were all also affected.According to the news agency dpa, in Germany, an unnamed IT service company claimed that several thousand customers had been compromised. Two large Dutch IT service companies, VelzArt Techniek and Hoppenbrouwer Techniek were also reported as victims. Ransomware victims are not required to report ransomware attacks publicly or reveal if they have paid ransoms.Kaseya CEO Fred Voccola estimated that there were around 2,000 victims. These are mostly small businesses such as dental offices, architecture firms and plastic surgery centers.Voccola stated in an interview that between 50-60% of the company's 37,000 customers had been compromised. 70% of the victims were managed service providers that use VSA software hacked by the company to manage multiple customers. It automates software installation and security updates, and also manages backups.Experts believe it was not a coincidence that REvil launched their attack just before the Fourth of July holiday weekend. They knew the U.S. offices would have a low staff. Many victims might not find out about it until Monday when they return to work. Voccola stated that the vast majority of managed service provider customers don't know what software is used to maintain their networks.Kaseya stated that it sent a detection device to almost 900 customers Saturday night.John Hammond, Huntress Labs' cybersecurity firm, stated that he had received $5 million and $500,000 requests from REVil for the key to unlock scrambled network encryption. According to reports, the smallest amount requested was $45,000Ransomware gangs at the REvils level often examine victims' financial records and insurance policies to see if they can locate them in files they have stolen before activating the data-scrambling malware. If the ransom is not paid, the criminals threaten to upload the stolen data online. However, it was not immediately obvious if the attack involved data theft. It appears that it did not.According to Ross McKerchar (chief information security officer at Sophos), stealing data is usually a time-consuming and laborious task. Although we have not seen any evidence of data theft yet, it is early days and only time will tell whether the attackers resort this strategy to make victims pay.According to Dutch researchers, Kaseya in Miami was alerted about the breach by Dutch researchers. They claimed that the criminals used zero day, which is the industry term for an unsolved security hole in software. Voccola declined to confirm or provide details about the breach, except to state that it wasn't phishing.He said that the level of sophistication was exceptional.
