Cybersecurity teams have been working feverishly to stem the impact of the single biggest global ransomware attack on record, with a Russia-linked gang believed to be responsible.
An affiliate of the notorious REvil gang, best known for extorting $US11 million ($15 million) from the meat-processor JBS after a May attack in the US, infected thousands of victims in at least 17 countries on Friday, largely through firms that remotely manage IT infrastructure for multiple customers, cybersecurity researchers said.
They reported ransom demands of up to $US5m ($6.6m) as a result of Friday’s unusually sophisticated attack on US tech provider Kaseya.
The FBI said in a statement on Sunday it was investigating the attack along with the federal Cybersecurity and Infrastructure Security Agency, though “the scale of this incident may make it so that we are unable to respond to each victim individually”.
President Joe Biden suggested on Saturday the US would respond if it was determined the Kremlin is involved.
He said he had asked the intelligence community for a “deep dive” on what happened.
The attack comes less than a month after Mr Biden pressed Russian President Vladimir Putin to stop providing safe haven to REvil and other ransomware gangs whose ongoing extortionary attacks the US deems a national security threat.
A broad array of businesses and public agencies were hit by the latest attack, apparently on all continents, including in financial services, travel and leisure and the public sector – though few large companies, the cybersecurity firm Sophos reported.
Ransomware criminals break into networks and sow malware that cripples networks on activation by scrambling all their data.
Victims get a decoder key when they pay up.
Most ransomware victims do not publicly report attacks or disclose if they have paid ransoms.
Experts say it was no coincidence REvil launched the attack at the start of the July 4 holiday weekend in the US, knowing offices would be lightly staffed.
John Hammond of Huntress Labs, one of the first cybersecurity firms to sound the alarm on the attack, said he had seen demands between $US500,000 and $US5m ($665,000-$6.6m) by REVil for the decryptor key needed to unlock scrambled networks.
“We haven’t seen evidence of data theft,” Ross McKerchar, chief information security officer at Sophos, said.
“But it’s still early on. Only time will tell if the attackers resort to playing this card in an effort to get victims to pay.”
The cybersecurity firm ESET identified victims in at least 17 countries, including the United Kingdom, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand and Kenya.
Active since April 2019, REvil provides ransomware-as-a-service, meaning it develops the network-paralysing software and leases it to so-called affiliates who infect targets and earn the lion’s share of ransoms.
US officials say the most potent ransomware gangs are based in Russia and allied states and operate with Kremlin tolerance and sometimes collude with Russian security services.