Ransomware hackers demand $70 million to unlock computers

The boss of the company at the heart of a widespread hack that has affected hundreds of businesses said he briefed the White House and that attackers are demanding a single $70 million ransomware payment.

The cyberattack that started to unfold Friday is estimated to have hit hundreds of mostly small and medium-size businesses and tens of thousands of computers. It quickly set off alarms in U.S. national security circles over concern that it could have far-reaching effects.

On Monday, Fred Voccola, the chief executive of Kaseya Ltd., whose software was targeted in the attack, spoke with Deputy National Security Advisor Anne Neuberger about the event while the company was still scrambling to restore services to its customers, Mr. Voccola said. Mr. Voccola told the White House that Kaseya wasn’t aware of any critical infrastructure that had been hit by the ransomware or of any victims related to national security, he said in an interview Monday.

A White House spokeswoman didn’t immediately comment.

The hackers behind the ransomware attack said that, upon payment, they will release a “universal decryptor” that would unlock computers that had been encrypted and rendered unusable by the attack, according to a note posted to the group’s website Sunday. Mr. Voccola declined to discuss the payment issue.

The ransomware incident has raised concerns because Kaseya’s VSA software is used by many technology companies to provide computer management services, potentially providing a gateway to other victims. The attack locked up computers at schools in New Zealand and locked up cash registers at Coop, a Swedish grocery store chain that was forced to shut some outlets.

Mr. Voccola said that corporate systems at Kaseya hadn’t been compromised during the attack, but that the company protectively shut down the servers providing its online services. Employees have been working through the weekend to restore services and test and release a patch to users of its VSA software that will fix the issues exploited by the hackers, he said. That patch should be released within “hours,” Mr. Voccola said Monday afternoon.

The hackers were able to distribute ransomware by exploiting several vulnerabilities in the VSA software, a Kaseya spokeswoman said.

One of them, discovered by a Dutch security researcher, was in the process of being patched by Kaseya before the ransomware attack occurred, said Victor Gevers, chairman of the volunteer-run security group, the Dutch Institute for Vulnerability Disclosure.

“Kaseya understood the problem and they were rushing to produce a patch,” Mr. Gevers said. Mr. Gevers said the bug was due to a simple error in the company’s code.

About 50 of Kaseya’s customers were compromised and about 40 of those customers were sellers of IT services, known as managed service providers, Mr. Voccola said. By breaking into MSP’s, the hackers were able to expand their impact, performing what security experts call a supply-chain attack.

Security companies estimate that hundreds of organizations, all of them customers of those 40 or so service providers, have now been hit by the ransomware, making it one of the most widespread incidents to date. But almost all of them are small and medium-size organizations, cybersecurity experts said, with the impact often not immediately apparent to the wider public.

“A typical MSP has—ballpark—about 40 end-customers. The average one of their customers has about 20 endpoints and not all of the endpoints were even breached,” Mr. Voccola said in reference to the managed service providers. “It’s still too many, don’t get me wrong.”

Concerns about ransomware are at an all-time high, following extremely disruptive attacks on the Colonial Pipeline and food processor JBS SA.

In May, President Biden ordered U.S. agencies and software contractors that supply them to boost their defenses against cyberattacks that officials have said pose a growing threat to national security and public safety.

The hackers behind the latest incident are known as the REvil ransomware group. They are asking for $70 million to unlock all the affected systems but victims of the group can also pay amounts varying between $25,000 and $5 million directly to unlock their systems even if nobody pays the $70 million.

On Friday, REvil claimed to have infected 40,000 computers. By Sunday, that claim had ballooned to 1 million, a claim many cybersecurity experts treated with skepticism.

“One million seems like an enormous overestimate,” said Brett Callow, a threat analyst for cybersecurity company Emsisoft.

When reached through an intermediary, REvil declined to comment. “We don’t need a lot of noise. Only money,” one of the group’s members told the intermediary, the person said.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency advised Kaseya users to shut down their VSA servers on Friday and has been monitoring the situation.

President Biden over the weekend told reporters that he had been briefed on the attack and that U.S. officials were trying to determine the extent of the Russian government’s involvement. He added that he has warned Russian President Vladimir Putin that the U.S. would respond to Russian government-sponsored cyberattacks. At a recent summit with Mr. Putin, the U.S. president addressed cybersecurity and said critical infrastructure should be off-limits to attacks.

With this latest attack, REvil, which about a month ago collected a $11 million payment from JBS, appears to be signaling that it has not been deterred.

“Ever since Colonial, they have indicated that they are not backing down and they’re going to be even more focused on U.S. targets,” said Chris Krebs, a partner at the security consulting firm Krebs Stamos Group LLC. “What we’re seeing here is some signaling from the actors that these guys are here to stay.” WSJ