Biden: US damage appears minimal in ransomware hit
WASHINGTON — President Joe Biden said Tuesday that damage to US businesses in the biggest ransomware attack on record appears minimal, though information remained incomplete. The company whose software was exploited said fewer than 1,500 businesses worldwide appeared compromised but cybersecurity experts caution that the incident isn’t over.
Also Tuesday, a security researcher who chatted online with representatives of the Russia-linked REvil gang behind the attack said they claimed to have stolen data from hundreds of companies, but offered no evidence.
Answering a reporter’s question at a vaccine-related White House event, Biden said his national security team had updated him Tuesday morning on the attack, which exploited a powerful remote-management tool run by Miami-based software company Kaseya in what is known as a supply-chain attack.
“It appears to have caused minimal damage to US businesses but we’re still gathering information,” Biden said. “And I’m going to have more to say about this in the next several days.” An official at the Cybersecurity and Infrastructure Security Agency, speaking on condition they not be further identified, said no federal agencies or critical infrastructure appear to have been impacted.
White House spokeswoman Jen Psaki held out the prospect of retaliatory action. What Biden told President Vladimir Putin in Geneva last month still holds, she said: “If the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own.”
What sort of action that would be is unclear.
Biden has said repeatedly that the Kremlin bears responsibility for giving ransomware criminals safe harbor, even if it is not directly involved. There is no indication that Putin has moved against the gangs. Psaki said Russian and US representatives were meeting next week and would discuss the matter.
Friday’s attack hobbled businesses in at least 17 countries. It shuttered most of the 800 supermarkets in the Swedish Coop chain over the weekend because cash registers stopped working, and reportedly knocked more than 100 New Zealand kindergartens offline.
Kaseya said it believes only about 800 to 1,500 of the estimated 800,000 to 1,000,000 mostly small business end-users of its software were affected. They are customers of companies that use Kaseya’s virtual system administrator, or VSA, product to fully manage their IT infrastructure.
Cybersecurity experts said, however, it is too early for Kaseya to know the true impact given its launch on the eve of the Fourth of July holiday weekend in the US They said many targets might only discover it upon returning to work Tuesday.
Ransomware criminals infiltrate networks and sow malware that cripples them by scrambling all their data. Victims get a decoder key when they pay up. Most ransomware victims don’t publicly report attacks or disclose if they’ve paid ransoms. In the US, disclosure of a breach is required by state laws when personal data that can be used in identity theft is stolen. Federal law mandates it when healthcare records are exposed.
Security researchers said that in this attack, the criminals did not appear to have had time to steal data before locking up networks. That raised the question whether the motivation behind the attack was profit alone, because extortion through threatening to expose sensitive pilfered data betters the odds of big payoffs.