Q&A: The Kaseya ransomware attack

·3-min read
What exactly is a ransomware attack?

A major cyberattack has potentially hit more than 1,000 companies worldwide, forcing a Swedish supermarket chain to shut hundreds of stores.

Hackers are demanding $70 million in bitcoin in exchange for data stolen in the ransomware attack against Miami-based IT company Kaseya.

But what exactly is a ransomware attack, and who is behind this one? Here are some key questions about the attack, which has paralysed businesses since Friday.

How bad is it?

The full scale of this attack remains unclear. Kaseya initially said Friday that it believed only around 40 of its customers had been affected.

But Huntress Labs, a cybersecurity firm working with partners targeted in the attack, has said it believes more than 1,000 companies may have been hit.

Not all of them are Kaseya customers. Swedish supermarket chain Coop, which was forced to close hundreds of stores after the hack pushed its checkouts offline, was affected because its IT subcontractor is linked to Kaseya.

Hackers claiming responsibility for the attack on Happy Blog, a site on the dark web associated with Russian-speaking group REvil, claimed they had infected "more than a million systems".

Why attack Kaseya?

French cybersecurity expert Loic Guezo said that targeting Kaseya, which provides IT solutions for some 40,000 small and medium-sized businesses worldwide, allowed the hackers to strike a huge number of victims with a single blow.

"It's using software that is used by many businesses in order to penetrate their networks," he explained, drawing a parallel with the spectacular attack against software firm SolarWinds last year.

What's a ransomware attack?

Ransomware attacks typically involve locking away companies' or individuals' data using encryption, then making them pay to regain access.

Such digital hostage-taking is increasingly common. Last year alone, at least $18 billion was sent to hackers using ransomware, according to security firm Emsisoft.

Payments are usually demanded in bitcoin, since the cryptocurrency helps perpetrators stay anonymous.

The United States has found itself a particular target of such attacks in recent months, with SolarWinds and the Colonial oil pipeline among high-profile victims.

The FBI has blamed those attacks on Russia-based hackers, and US President Joe Biden raised the issue with his counterpart Vladimir Putin at their summit last month.

Moscow, suspected of turning a blind eye to the hackers or even encouraging them, denies any involvement.

Who's behind the Kaseya attack?

Numerous experts have pointed the finger at a Russian-speaking hacking group known as REvil.

The demand for $70 million was posted on Happy Blog, a site on the dark web previously associated with REvil, who are also known as Sodinokibi.

The FBI believes REvil were also behind last month's attack on global meat processing giant JBS, which ended with the Brazil-based company paying bitcoin worth $11 million to the hackers.

REvil, who first emerged around 2019, work as part of a collective, sometimes sharing both their ransomware and their loot with other hackers who take part in the same attack.

They are seen as among the most dangerous ransomware attackers out there, carrying out around 29 percent of such attacks in 2020, according to a recent report by IBM's Security X-Force unit.

That report estimated that REvil took ransoms worth at least $123 million in 2020.

Our goal is to create a safe and engaging place for users to connect over interests and passions. In order to improve our community experience, we are temporarily suspending article commenting