The company whose software was exploited in the most significant ransomware attack on record said Tuesday that so far, it appears fewer than 1,500 businesses were compromised. But cybersecurity experts suspect the estimate is low and note that victims are still being identified.
A couple of examples of the attack’s impact in the at least 17 countries affected: the weekend shuttering of most of the 800 supermarkets in the Swedish Coop chain because the malware crippled their cash registers, and the reported knocking offline more than 100 New Zealand kindergartens.
Miami-based Kaseya said that it believes only about 800 to 1,500 of the estimated 800,000 to 1,000,000, primarily small business end-users of its software, were affected. They are customers of companies that use Kaseya’s virtual system administrator, or VSA, to fully manage their IT infrastructure.
However, cybersecurity experts said it is too early for Kaseya to know the true impact of Friday’s attack. They note that because it was launched by the Russia-linked REvil gang on the eve of the Fourth of July holiday weekend in the U.S., many targets may only be discovering it upon returning to work Tuesday.
Ransomware criminals infiltrate networks and sow malware that cripples them by scrambling all their data. Victims get a decoder key when they pay up. Most ransomware victims don’t publicly report attacks or disclose if they’ve produced the ransom. In the U.S, disclosure of a breach is required by state laws when personal data that can be used in identity theft is stolen. Federal law mandates it when healthcare records are exposed.
Unlike many ransomware attacks, the criminals in this one apparently had no time to steal data before locking up networks. They are demanding up to $5 million for more significant victims and $45,000 for small ones.
And in what many researchers considered a PR stunt, REvil is offering on its site on the dark web to release a universal software decoder to free all victims in exchange for a lump-sum payment of $70 million. It did not say who was expected to pay. The criminals claim to have infected a million systems.
Most of the more than 60 Kaseya customers that company spokeswoman Dana Liedholm said were affected are managed service providers (MSPs), with multiple customers downstream.
“Given the relationship between Kaseya and MSPs, it’s not clear how Kaseya would know the number of victims impacted. There is no way the numbers are as low as Kaseya is claiming, though,” said Jake Williams, chief technical officer of the cybersecurity firm BreachQuest.
The hacked VSA tool remotely maintains customer networks, automating security and other software updates. Essentially, a product designed to protect networks from malware was cleverly used to distribute it.
“It’s too soon to tell since this entire incident is still under investigation,” said the cybersecurity firm Sophos, which has been tracking the incident closely. It and other cybersecurity outfits questioned whether Kaseya had visibility into the crippled managed service providers.