REvil is raising ransoms for Kaseya ransomware attack victims

The REvil ransomware gang is raising the ransom needs for victims encrypted through Friday’s Kaseya

The REvil ransomware gang is raising the ransom needs for victims encrypted through Friday’s Kaseya ransomware assault.

When conducting an attack from a business, ransomware gangs, these types of as REvil, normally investigation a sufferer by analyzing stolen and community info for financial data, cybersecurity insurance coverage procedures, and other facts.

Applying this details, the number of encrypted products, and the total of stolen facts, the risk actors will come up with a high-ball ransom demand from customers that they consider, just after negotiations, the victim can pay for to spend.

Nonetheless, with Friday’s assault on Kaseya VSA servers, REvil specific the managed provider suppliers and not their customers. Thanks to this, the risk actors could not ascertain how considerably of a ransom they need to demand from the encrypted MSP consumers.

As a remedy, it would seem the ransomware gang produced a base ransom demand from customers of $5 million for MSPs and a substantially smaller ransom of $44,999 for the MSP’s clients who were being encrypted.

Ransom demand for Kaseya ransomware victims
Ransom demand for Kaseya ransomware victims

It turns out this $44 thousand amount is irrelevant as in several negotiation chats shared with and noticed by BleepingComputer, the ransomware gang is not honoring these original ransom requires.

When encrypting a victim’s network, REvil can use many encrypted file extensions for the duration of the assault. The risk actors typically supply a decryptor that can decrypt all extensions on the network just after a ransom is paid.

For victims of the Kaseya ransomware incident, REvil is doing things differently and demanding amongst $40,000 and $45,000 for each individual encrypted file extension observed on a victim’s community.

​A portion of REvil ransom negotiation
A portion of REvil ransom negotiation

For a person sufferer who mentioned they experienced over a dozen encrypted file extensions, the ransomware gang demanded a $500,000 ransom to decrypt the overall community.

$500,000 ransom to decrypt the entire network
$500,000 ransom to decrypt the whole network

However, the fantastic information is that the REvil representatives have told victims that they only encrypted networks, and practically nothing a lot more. This means that REvil likely did not steal any of the victims’ data, as they are recognised to use that as leverage in ransomware negotiations quickly.

REvil states data was not stolen
REvil indicates facts was not stolen

This also indicates that the ransomware procedure did not entry the victim’s networks ahead of the assault. Instead, they very likely remotely exploited the Kaseya VSA vulnerability to distribute the encryptor and execute it on the victim’s devices.

Attack’s aftermath

Considering the fact that the attacks on Friday, Kaseya has been working on releasing a patch for the zero-day vulnerability exploited in the REvil attack. 

This zero-working day was uncovered by DIVD researchers who disclosed the t to Kaseya and assisting exam the patch. 

Sadly, REvil found the vulnerability simultaneously and launched their attack on Friday ahead of the patch was prepared, just in time for the US Fourth of July holiday break weekend.

It is believed that above 1,000 businesses have been afflicted by the assault, including attacks on the Swedish Coop grocery store chain, which experienced to near around 500 suppliers, a Swedish pharmacy chain, and the SJ transit method.

President Biden has directed US intelligence agencies to examine the assault but has not long gone as far to state that the assaults originated from Russia.

The FBI also declared today that they are investigating the incident and performing closely with CISA and other businesses.

“The FBI is investigating the Kaseya ransomware incident and doing the job closely with CISA and other interagency companions to understand the scope of the risk.”

“If you think your methods have been compromised, we motivate you to make use of all advised mitigations, comply with Kaseya’s direction to shut down your VSA servers instantly and report to the FBI at ic3.gov,” reported the FBI in a press statement.