The hacker gang behind an international crime spree that played out over the Fourth of July weekend say they’ve locked more than a million individual devices and are demanding $70 million in bitcoin to set them all free in one swoop.
The gang, the Russia-connected REvil, is best known for previously hacking JBS, one of the world’s largest meat suppliers, and briefly halting its operations across much of North America. But this attack’s potential scope is unprecedented, according to some cybersecurity experts.
REvil’s began its spree Friday by compromising Kaseya, a software company that helps companies manage basic software updates. Since many of Kaseya’s customers are companies that manage internet services for other businesses, the number of victims grew quickly. Instead of locking an individual organization, as ransomware gangs usually do, REvil this time locked each victim computer as a standalone target, and initially asked $45,000 to unlock each specific one.
President Joe Biden has “directed the full resources” of the government toward investigating the problem, he told reporters Sunday.
The Swedish grocery chain Coop is the largest known victim, and was forced to close most of its roughly 800 stores all day Saturday. Its registers were all controlled online by Visma Esscom, a Kaseya customer, and locked up and rendered unusable.
Exactly how many systems have been infected is unknown, though the number is likely sizable. The cybersecurity firm Huntress, which is helping Kaseya’s response, is aware of more than 1,000 individual businesses that have been affected so far, it said.
REvil’s claim that they have compromised more than a million devices in this spree is impossible to prove, given how few victims are speaking publicly and the fact that no government or company has a database of everyone who was hit. But that number is plausible, said Mikko Hypponen, a researcher at the cybersecurity company F-Secure, given that this strain of ransomware infects each device individually.
“Think about a retail chain, like grocery retail,” Hypponen said. “Every single cashier system is an endpoint. Every laptop. Everybody in the sales has a system, multiple servers. 200 stores, 300 stores, they alone would have thousands of endpoints. And if a thousand Coop-like companies were infected, yes, you would have a million endpoints.”
Regardless of the actual number of victims, it’s extremely difficult to imagine victims banding together to jointly pay $70 million, said Allan Liska, an analyst at the cybersecurity firm Recorded Future.
“Despite the braggadocio in their note, I actually think it is actually a sign they are overwhelmed,” Liska said.
A million victims that each paid $45 million would be a profit of $45 billion, he noted.
“They are low balling themselves at $70 million,” he said.
Kevin Collier is a reporter covering cybersecurity, privacy and technology policy for NBC News.