The company whose software was exploited in the most significant ransomware attack on record said Tuesday that so far, it appears fewer than 1,500 businesses were compromised. But cybersecurity experts suspect the estimate is low and note that victims are still being identified. A couple of examples of the attack’s impact in at least 17 countries affected: the weekend shuttering of most of the 800 supermarkets in the Swedish Coop chain because the malware crippled their cash registers and the reported knocking offline more than 100 New Zealand kindergartens. Miami-based Kaseya said that it believes only about 800 to 1,500 of the estimated 800,000 to 1,000,000, primarily small business end-users of its software, were affected. They are customers of companies that use Kaseya’s virtual system administrator, or VSA, to manage their IT infrastructure fully.
The statement was widely reported after the White House shared it with media outlets. However, cybersecurity experts said it is too early for Kaseya to know the true impact of Friday’s attack. They note that because it was launched by the Russia-linked REvil gang on the eve of the Fourth of July holiday weekend in the U.S., many targets may only discover it upon returning to work Tuesday. Ransomware criminals infiltrate networks and sow malware that cripples them by scrambling all their data. Victims get a decoder key when they pay up. Most ransomware victims don’t publicly report attacks or disclose if they’ve produced the ransom. In the U.S., disclosure of a breach is required by state laws when personal data that can be used in identity theft is stolen. Federal law mandates it when healthcare records are exposed.
Unlike many ransomware attacks, the criminals in this one had no time to steal data before locking up networks. They demand up to $5 million for more significant victims and $45,000 for small ones. And in what many researchers considered a PR stunt, REvil is offering on its site on the dark web to release a universal software decoder to free all victims in exchange for a lump-sum payment of $70 million. IThe criminals claim to have infected a million systems. t did not say who was expected to pay. Most of the more than 60 Kaseya customers that company spokeswoman Dana Liedholm said were affected are managed service providers (MSPs) with multiple customers downstream.
“Given the relationship between Kaseya and MSPs, it’s unclear how Kaseya would know the number of victims impacted. There is no way the numbers are as low as Kaseya is claiming, though,” said Jake Williams, chief technical officer of the cybersecurity firm BreachQuest. The hacked VSA tool remotely maintains customer networks, automating security and other software updates. A product designed to protect networks from malware was cleverly used to distribute it. “It’s too soon to tell since this entire incident is still under investigation,” said the cybersecurity firm Sophos, tracking the incident closely. It and other cybersecurity outfits questioned whether Kaseya had visibility into the disabled managed service providers.
