The software company Kaseya said Tuesday it has identified a solution to the security vulnerability that the cybercriminal gang REvil exploited in one of the largest global ransomware attacks to date. The cyber gang is demanding $70 million to release the systems of hundreds of businesses it is holding hostage.
Kaseya planned to bring its servers back online on Tuesday afternoon and planned to have the patch available for on-premises customers within 24 hours of when the servers come back online, according to the company. The company has said it is testing its proposed solution.
“Our global teams are working around the clock to get our customers back up and running,” Kaseya CEO Fred Voccola said in a statement on the company’s website. “We understand that every second they are shut down, it impacts their livelihood, which is why we’re working feverishly to get this resolved.”
Senior U.S. national security officials have conferred with “high-level Russian officials” about the attack, although the Biden administration hasn’t pinpointed responsibility, White House press secretary Jen Psaki said Tuesday. Ms. Psaki said the REvil gang “has affiliates around the world” and that the U.S. Intelligence Community “has not yet fully attributed the attack.”
REvil’s ransomware attack on Kaseya affected fewer than 1,500 businesses downstream from 60 customers that use Kaseya products, according to the software company, which is headquartered in Miami and Ireland. The victims reside in 17 different countries and include many small businesses.
The gang looks to have demanded payments ranging from thousands to millions of dollars, according to cybersecurity researchers. Late Sunday, REvil published a request for $70 million in cryptocurrency in exchange for a tool that will release all the files being held hostage in less than an hour.
Asked if the White House knew whether the company had paid the $70 million ransom, Ms. Psaki said only that the administration’s policy still advises companies not to pay.
The ransomware attack is the latest in a cyber onslaught hitting businesses and critical infrastructure that the U.S. federal government has scrambled to combat. The timing of the attack — during the Fourth of July weekend — means many victims may not fully discover the extent of the problem until they return to the office this week.
“This cyberattack is one of the biggest we’ve ever seen,” said Ekram Ahmed, spokesperson at cybersecurity firm Check Point, in an email. “What’s alarming here is the combination of a supply chain and ransomware attack, usually you see one or the other. A supply chain attack that targets [managed service providers], combined with crippling ransomware, has potentially exponential and untenable consequences.”
Brett Callow, a threat analyst at the software company Emsisoft, said it is not surprising that REvil has sought to consolidate its ransom negotiations into a single payment.
“The group will not have the capacity to handle more than a thousand negotiations, so monetizing the attack via a single negotiation would be the easiest and most streamlined option,” Mr. Callow said in an email. “REvil will likely hope that insurers will consider their proposal to be an attractive option too.”
Mr. Callow added that the tool offered by REvil would enable victims to recover faster than otherwise possible and noted that if all of the victims paid up individually, then it would likely amount to “considerably more” than REvil’s $70 million ransom.
REvil is one of the most prolific ransomware groups responsible for the greatest number of victims, even before the Kaseya attack, according to cybersecurity researchers. Previously, REvil gained attention for its cyber assault on major meat producer JBS, and it has launched an average of 15 cyberattacks per week over the last two months, said cybersecurity software firm Check Point.
REvil operates on a ransomware-as-a-service model where developers of malicious software and the affiliates deploying it share portions of the ransom payments made by victims to obtain access to their systems. According to cybersecurity company DomainTools, REvil’s ransomware avoids targeting computers in a certain “language region,” including Russia and Kazakhstan.
At a summit last month, President Biden warned Russian President Vladimir Putin that the U.S. will retaliate for any further cyberattacks originating from Russia.
Ms. Psaki said the attack “underscores the need for companies and government agencies to focus on improving cybersecurity.”
The Biden administration has dispatched the FBI and the Cybersecurity and Infrastructure Security Agency to work with Kaseya, and President Biden has directed the full resources of the government to investigate the incident, said Anne Neuberger, deputy national security adviser for cyber and emerging technology.
• Dave Boyer and wire reports contributed to this article.