July 4th ransomware attack may be the largest ever – expert

A ransomware attack by the Russian-based REvil gang on the eve of the July 4th holiday weekend may end up being even larger than the recent SolarWinds hack, an Israeli cybersecurity expert told The Jerusalem Post.

The supply-chain attack on IT management software provider Kaseya has been under-reported in the media due to the holiday, but may set a new precedent for future cyberattacks, said Demi Ben-Ari, Co-Founder & CTO of Tel Aviv-based security management company Panorays.

Demi Ben-Ari, co-founder & CTO of Panorays. (Photo Credit: Anton Feelin)

Kaseya provides IT management tools for some 40,000 customers worldwide. The company has said that REvil managed to target only about 40 of its clients, but that some of those are Managed Service Providers (MSPs) that may work with hundreds of businesses each. “That means the viral distribution of this thing is going to be massive,” Ben-Ari said. “What has been reported so far is that more than a thousand companies have been affected, including some chains, like Swedish grocery retailer Coop, which was forced to close more than 800 stores. Their systems are literally all down.”

This attack is significantly different from the recent SolarWinds attack, which exposed sensitive data from government offices and thousands of private companies in what is possibly the largest security breach ever, Ben-Ari said. In this attack, companies are being told to pay a large ransom – as much as $50,000 per employee at each company in certain cases. “If you just multiply the numbers, the magnitude is massive,” he said.

The US government prefers that companies don’t give money to their attackers so as not to encourage them to do more, but many corporate ransomware victims conclude that the cost of resisting is much greater than that of paying.

Last month, JBS, one of the largest meat producers in the US, paid an $11 million ransom after a similar attack knocked out operations at some of its largest facilities. (The FBI has blamed that attack on REvil as well.) And in May, Colonial Pipeline, one of the US’s largest gas providers, was forced to shut gas delivery to the East Coast until it paid the hackers $4.4 million to get back online.

“REvil is only interested in getting money and like other Russian ransomware groups, is believed to be sponsored by the Russian government, although that hasn’t been proven,” Ben-Ari said. “It is not a coincidence that this attack was conducted on the eve of the fourth of July holiday, when many of the victims are out of the office and may not even find out about it until Tuesday. This was a super-targeted operation intended to make a lot of money.”

Kaseya immediately advised customers to shut their servers temporarily to avoid being attacked, and to be wary of any communications from the attackers. The scope of the damage from the attack will not be clear for several…