Expert: July 4 ransomware attack may be largest ever
‘No coincidence strike was conducted on holiday eve, when many victims won’t find out until Tuesday’
A ransomware attack by the Russian-based REvil gang on the eve of the July 4th US holiday weekend may end up being even larger than the recent SolarWinds hack, an Israeli cybersecurity expert has told The Jerusalem Post.
The supply-chain attack on IT management software provider Kaseya has been under-reported in the media due to the holiday, but may set a new precedent for future cyberattacks, said Demi Ben-Ari, Co-Founder & CTO of Tel Aviv-based security management company Panorays.
Kaseya provides IT management tools for some 40,000 customers worldwide. The company has said that REvil managed to target only about 40 of its clients, but that some of those are Managed Service Providers (MSPs) that may each work with hundreds of businesses.
“That means the viral distribution of this thing is going to be massive,” Ben-Ari said. “What has been reported so far is that more than a thousand companies have been affected, including some chains, like Swedish grocery retailer Coop, which was forced to close more than 800 stores. Their systems are literally all down.”
This attack is significantly different from the recent SolarWinds attack, which exposed sensitive data from government offices and thousands of private companies in what was possibly the largest security breach ever, Ben-Ari said. In this attack, companies are being told to pay a large ransom – in some cases, as much as $50,000 per employee at each company. “If you just multiply the numbers, the magnitude is massive,” he said.
The US government prefers that companies don’t give money to their attackers so not to encourage them, but many corporate ransomware victims conclude that the cost of resisting is much greater than paying.
Last month, JBS, one of the largest meat producers in the US, paid an $11 million ransom after a similar attack knocked out operations at some of its largest facilities. (The FBI has blamed that attack on REvil as well.) And in May, Colonial Pipeline, one of the US’s largest gas providers, was forced to shut down gas delivery to the East Coast until it paid the hackers $4.4 million to get back online.
“REvil is only interested in getting money and like other Russian ransomware groups, is believed to be sponsored by the Russian government, although that hasn’t been proven,” BenAri said.
“It is not a coincidence that this attack was conducted on the eve of the Fourth of July holiday, when many of the victims are out of the office and may not even find out about it until Tuesday. This was a super-targeted operation intended to make a lot of money.”
Kaseya immediately advised customers to shut their servers temporarily to avoid being attacked, and to be wary of any communications from the attackers. The scope of the damage from the attack will not be clear for several more days, Ben-Ari noted.
He said that companies can prepare themselves for such attacks by evaluating risks to their system and securing vulnerabilities using cybersecurity services like that of Panorays, and implementing a plan to get back online in case of attacks. “I believe this type of attack will be a paradigm that companies of all sizes must prepare for. Smaller companies that don’t invest in cybersecurity will be the easiest to breach, and then there is a risk that the attack could go viral,” he said.
“The only solution is preparing ahead, because the question isn’t whether something like this will happen, but when.”