On July 13th, Russian-based Revil ransomware shut down their servers shortly after a phone call from President Biden to Putin. And I hoped we were beginning a new era of international cooperation to fight organized ransomware. 🙏
Revil exploited a vulnerability of Kaseya's VSA software, used by MSPs to provide essential services to their customers’ IT infrastructure. 🔓
In this attack, perpetrated on July 2nd, they encrypted 1 million systems belonging to over 1500 end customers and 60 MSPs. 🧨
The ransoms they requested set new records. Either $5M per MSP and $45K per individual customer or $70M for a universal key, valid for all. 💰
The incident was happily ended on July 23rd when Kaseya's mysteriously got the decryption keys from a "trusted third party." 🔐
A lot had been written speculating whether the White House pressure or other motivations were behind this happy ending. 🤷♀️
In any case, my hopes seem vanished now, as Revil is back to life again. Two servers, the Tor payment/negotiation site and their Tor 'Happy Blog' data leak site are online now. ☠️
It is unclear if they have come back after a sabbatical or if law enforcement has reactivated them. ❓
Whatever, it's sending a strong sign of alert for all of us to keep our security posture high and our incident response teams ready. 🛡
In addition to your prevention and detection, Is your organization prepared to respond to a ransomware attack of this magnitude? 🤔
Here are the links to bleeping computer and Wikipedia articles.
Comments