A ransom demand was posted on a site typically used by the REvil cybercrime gang, a Russia-linked group.
The hackers suspected to be behind a mass ransomware attack that has affected hundreds of companies worldwide have demanded $70m to restore the data, according to a posting on a dark web site.
The demand was posted late Sunday night on a site typically used by the REvil cybercrime gang, a Russia-linked group that is counted among the cybercriminal world’s most prolific extortionists.
The gang has an affiliate structure, occasionally making it difficult to determine who speaks on the hackers’ behalf, but Allan Liska of cybersecurity firm Recorded Future said the message “almost certainly” came from REvil’s core leadership.
The group has not responded to an attempt by Reuters to reach it for comment.
REvil’s ransomware attack, which the group executed on Friday, was among the most dramatic in a series of increasingly attention-grabbing hacks.
The gang broke into Kaseya, a Miami-based information technology firm, and used their access to breach some of its clients’ clients, setting off a chain reaction that quickly paralyzed the computers of hundreds of firms worldwide.
Cybersecurity experts swiftly blamed REvil for the attack. Sunday’s statement was the group’s first public acknowledgement that it was behind it.
An executive at Kaseya said the company was aware of the ransom demand but did not immediately return further messages seeking comment.
Liska said he believed the hackers had bitten off more than they could chew.
“For all of their big talk on their blog, I think this got way out of hand and is a lot bigger than they expected,” he said.
‘Way out of hand’
The ransomware attack, one of the largest in history, spread worldwide on Saturday. In one instance of its effect, it forced the Swedish Coop grocery store chain to close all 800 of its stores because it could not operate its cash registers.
The attack hijacked Kaseya’s desktop management tool VSA and pushed a malicious update that infected tech management providers serving thousands of business.
Security firm Huntress Labs, one of the first to sound the alarm of the wave of infections at the providers’ clients, said Saturday that thousands of small companies might have been hit.
Miami-based Kaseya said it was working with the FBI and that only about 40 of its customers were affected directly. It did not comment on how many of those were providers that in turn spread the malicious software to others.
In a statement late on Saturday, the FBI said it was investigating in coordination with the US Cybersecurity and Infrastructure Security Agency.
“We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya’s guidance to shut down VSA servers immediately,” the agency said.
The affected businesses had files encrypted and were left electronic messages asking for ransom payments of thousands or millions of dollars.
‘Tip of the iceberg’
Some experts said the timing of the attack, on the Friday before a long US holiday weekend, was aimed at spreading it as quickly as possible while employees were away from the job.
“What we are seeing now in terms of victims is likely just the tip of the iceberg,” said Adam Meyers, senior vice president of security company CrowdStrike.
President Joe Biden said on Saturday he has directed US intelligence agencies to investigate who was behind the attack.
According to Coop, one of Sweden’s biggest grocery chains, a tool used to remotely update its checkout tills was affected by the attack, so payments could not be taken.
“We have been troubleshooting and restoring all night, but have communicated that we will need to keep the stores closed today,” Coop spokesperson Therese Knapp told Swedish Television.
The Swedish news agency TT said Kaseya technology was used by the Swedish company Visma Esscom, which manages servers and devices for a number of Swedish businesses.
State railways services and a pharmacy chain also suffered disruption.
“They have been hit in various degrees,” Visma Esscom chief executive Fabian Mogren told TT.
Defence Minister Peter Hultqvist told Swedish television the attack was “very dangerous” and showed how business and state agencies needed to improve their preparedness.
“In a different geopolitical situation, it may be government actors who attack us in this way in order to shut down society and create chaos,” he said.