Over 800 companies affected
The hacker group REvil attacked over 800 companies
Security researchers at Check Point Research (CPR) took a closer look at last weekend’s ransomware attacks . The hacker group REvil is using the American Independence Day on July 4 for the biggest supply chain attack since the attack on Sunburst at the end of 2020.
REvil’s attackers used a zero-day exploit in Kaseya software as a gateway to infiltrate and extort ransomware into companies. Between 800 and 1500 companies from 17 countries are affected, Fred Voccola, CEO of Kaseya, confirmed to Reuters . The total ransom demanded by the attackers is in the millions. Already in recent weeks, Check Point security researchers have observed increasing activity of REvil hackers: in the past two months, they recorded 15 new REvil attacks per week, most of them in the United States, Germany, Brazil and India. Compared to last year, the number of ransomware attacks in general and globally increased by 93 percent.
Christine Schönig, Regional Director Security Engineering CER, Office of the CTO at Check Point
“Records for cyberattacks have already been broken in 2021,” explains Christine Schönig, Regional Director Security Engineering CER, Office of the CTO, at Check Point Software Technologies GmbH : “The increase in ransomware attacks is at an all-time high of 93 percent worldwide, that of all attacks in the EMEA region at 97 percent and only in the last 12 months. Never before have there been so many victims of ransomware attacks, of which an unknown extent not only affects the US alone, but increasingly it is also European companies that have been targeted here. Those who use Kaseya VSA, it is best to disconnect it from the network immediately, although it may already be too late.“
Regarding the chosen time of the attack, Ms. Schönig explains: “REvil chose July 4 as the time of the attack for a reason, namely lack of attention. On the US National Day, there is often only one emergency crew available and this fact opened the back door to over a thousand companies, which in turn could compromise numerous other companies. IT staff were offline for the celebrations in the country and the emergency staffing used usually worked less prudently. This fact played into the hands of the threat actors in several ways: the ransomware could be fully deployed before anyone realized anything. In addition, the panic is greater during the response measures when important contacts are not available to decide. This increases the level of wrong decisions and also the probability of yielding to a ransom demand.“
Important steps to identify infection associated with the Kaseya attack wave:
- Use EDR, NDR, and other security monitoring tools to verify the legitimacy of all new files in the environment since July 2.
- Ask security product vendors if there are safeguards in place for REvil ransomware.
- When help is needed, call in experts to verify the situation in the IT environment.