The extent of a major ransomware attack that U.S. cybersecurity experts have attributed to a Russian-speaking gang has yet to be determined as more companies come forward to say their systems have been compromised.
Cybersecurity experts quoted in U.S. news reports on July 4 said the attack affected thousands of victims in at least 17 countries when it was launched late on July 2. They said the cybercriminals had demanded ransoms between $45,000 and $5 million.
Fred Voccola, CEO of Kaseya, the U.S.-based company whose software was breached, also estimated the number of victims in the thousands. He said most were small businesses like dental practices, architecture firms, surgery centers, and libraries. Schools, small government agencies, travel agencies, and accounting agencies are also among the reported victims.
The company believes it has identified the source of the vulnerability and will release a patch as quickly as possible to affected customers, Voccola said in an interview with the Associated Press.
Voccola declined to offer details of the breach except to say that it was not phishing and that "the level of sophistication here was extraordinary."
Cybersecurity experts say the REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack and it was no coincidence that it was launched at the start of the U.S. Independence Day holiday weekend. Many victims may not find out they have been hit until they reopen on July 5 or 6.
The FBI and the U.S. Cybersecurity and Infrastructure Security Agency are investigating and have asked companies to report the incidents, but warned that "the scale of this incident may make it so that we are unable to respond to each victim individually."
President Joe Biden has directed U.S. intelligence agencies to investigate, and Anne Neuberger, White House deputy national security adviser for cyber and emerging technology, said in a statement on July 4 that the FBI and the Department of Homeland Security "will reach out to identified victims to provide assistance based upon an assessment of national risk."
One of the companies affected is the Swedish grocery chain Coop. It was forced to close most of its 800 stores on July 3 and 4 because the attack crippled its cash-register software. A Swedish pharmacy chain, gas station chain, the state railway, and public broadcaster SVT were also hit.
Germany's federal cybersecurity watchdog said an unidentified IT service provider that looks after several thousand customers had been hit. Two big Dutch IT services companies were also among the targets.
Ransomware attacks are carried out by hackers who break into networks and spread malicious computer code used to encrypt a victim's digital data. The data are unusable until the targeted company pays the ransom.
High-profile ransomware attacks in May targeted a U.S. energy pipeline and a global meat processor. U.S. law enforcement authorities said they recovered most of the ransom paid in the pipeline case.
The following month Biden pressed Russian President Vladimir Putin during their summit in Geneva about ransomware gangs allegedly operating with impunity in Russia. Biden said he also told Putin that the United States would respond if an investigation determined that the Russian government is behind an attack.
