Home » Entries posted by FRANK BAJAK AP Technology Writer

Ransomware victim Kaseya gets master key to unlock networks

The Florida company whose software was exploited in the devastating Fourth of July weekend ransomware attack has received a universal key that will decrypt all of the more than 1,000 businesses and public organizations crippled in the global incidentBy FRANK BAJAK AP Technology WriterJuly 22, 2021, 10:33 PM• 3 min readShare to FacebookShare to TwitterEmail this articleBOSTON — The Florida company whose software was exploited in the devastating Fourth of July weekend ransomware attack, Kaseya, has received a universal key that will decrypt all of the more than 1,000 businesses and public organizations crippled in the global incident.Kaseya spokeswoman Dana Liedholm would not say Thursday how the key was obtained or whether a ransom was paid. She said only that it came from a “trusted third party” and that Kaseya was distributing it to all victims. The cybersecurity firm Emsisoft confirmed that the key worked and was providing support.Ransomware analysts offered multiple possible explanations for why the master key, which can unlock the scrambled data of all the attack’s victims, has now appeared. They include: Kaseya paid; a government paid; a number of victims pooled funds; the Kremlin seized the key from the criminals and handed it over through intermediaries — or perhaps the attack’s principle protagonist didn’t get paid by the gang whose ransomware was used.The Russia-linked criminal syndicate that supplied the malware, REvil, disappeared from the internet on July 13. That likely deprived whoever carried out the attack with income because such affiliates split ransoms with the syndicates that lease them the ransomware. In the Kaseya attack, the syndicate was believed overwhelmed by more ransom negotiations than it could manage, and decided to ask $50 million to $70 million for a master key that would unlock all infections.By now, many victims will have rebuilt their networks or restored them from backups.It’s a mixed bag, Liedholm said, because some “have been in complete lockdown.” She had no estimate of the cost of the damage and would not comment on whether any lawsuits may have been filed against Kaseya. It is not clear how many victims may have paid ransoms before REvil went dark.The so-called supply-chain attack of Kaseya was the worst ransomware attack to date because it spread through software that companies known as managed service providers use to administer multiple customer networks, delivering software updates and security patches.President Joe Biden called his Russian counterpart, Vladimir Putin, afterward to press him to stop providing safe haven for cybercriminals whose costly attacks the U.S. government deems a national security threat. He has threatened to make Russia pay a price for failing to crack down. but has not specified what measure the U.S. may take.If the universal decryptor for the Kaseya attack was turned over without payment, it would not be the first time ransomware criminals have done that. It happened after the Conti gang hobbled Ireland’s national healthcare service in May and the Russian Embassy in Dublin offered “to help with the investigation.”

Macron among 14 heads of states on potential spyware list

Macron among 14 heads of states on potential spyware list

BOSTON — French President Emmanuel Macron leads a list of 14 current or former heads of state who may have been targeted for hacking by clients of the notorious Israeli spyware firm NSO Group, Amnesty International said Tuesday.“The unprecedented revelation … should send a chill down the spine of world leaders,” Amnesty’s secretary general, Agnes Callamard, said in a statement.Among potential targets found on a list of 50,000 phone numbers leaked to Amnesty and the Paris-based journalism nonprofit Forbidden Stories include Presidents Cyril Ramaphosa of South Africa and Barham Salih of Iraq. King Mohammed VI of Morocco and three current prime ministers — Imran Khan of Pakistan, Mustafa Madbouly of Egypt and Saad Eddine El Othmani of Morocco — are also on the list, The Washington Post reported.The Post said none of the heads of state would offer their smartphones for forensic testing that might have detected whether they were infected by NSO’s military-grade Pegasus spyware. Thirty-seven phones identified in the investigation were either breached or shows signs of attempted infection, it has reported.The Post and 16 other members of a global media consortium were granted access to the leaked list. Another member, the French daily Le Monde, determined that 15 members of the French government may have been among potential targets with Macron in 2019.Following first reports by consortium members on Sunday, the Paris prosecutor’s office said it was investigating the suspected widespread use of NSO’s military-grade Pegasus spyware to target journalists, human rights activists and politicians in multiple countries.Also Sunday, Amnesty released a forensic analysis of the alleged targeting that showed Amazon Web Services was hosting NSO infrastructure. In response, Amazon said it shut down NSO accounts that were “confirmed to be supporting the reported hacking activity.” Amazon said the accounts had violated its terms of use.Another U.S. company identified by Amnesty as hosting NSO servers was DigitalOcean. When contacted by The Associated Press, DigitalOcean neither confirmed nor denied whether it had identified or cut off such servers.”All of the infrastructure outlined in the Amnesty report is no longer on DigitalOcean,” it said Tuesday, without elaborating, in an emailed statement.The consortium’s findings significantly widen the scope of alleged abuses in which NSO Group has been implicated since 2016. Those include the surveillance of friends and relatives of journalist Jamal Khashoggi, who was killed inside the Saudi consulate in Istanbul in 2018 — and highlight what critics call the urgent need to regulate global sales of commercial hacking tools.Le Monde said the phone numbers for Macron and the then-government members were among thousands allegedly selected by NSO clients for potential surveillance. In this case, the client was an unidentified Moroccan security service, according to Le Monde.Consortium members said they were able to link more than 1,000 numbers in 50 countries on the list with individuals, including more than 600 politicians and government officials and 189 journalists. The largest share were in Mexico and the Middle East, where Saudi Arabia is reported to be among NSO clients.Also on the list were phone numbers in Azerbaijan, Kazakhstan, Pakistan, Morocco and Rwanda, as well as ones for several Arab royal family members, the consortium reported.An official in Macron’s office said authorities would investigate Le Monde’s report, and if the targeting is proven, it would be “extremely grave.”Le Monde quoted NSO as saying the French president was never targeted by its clients.NSO Group has denied that it ever maintained “a list of potential, past or existing targets.” It called the Forbidden Stories report “full of wrong assumptions and uncorroborated theories.”The source of the leak — and how it was authenticated — has not been disclosed. While a phone number’s presence in the data does not mean an attempt was made to hack a device, the consortium said it was confident the data indicated potential targets of NSO’s government clients.The Paris prosecutor’s office said in a statement Tuesday that it opened an investigation into a raft of potential charges, including violation of privacy, illegal use of data and illegally selling spyware.As is common under French law, the investigation doesn’t name a suspected perpetrator but is aimed at determining who might eventually be sent to trial. It was prompted by a legal complaint by two journalists and French investigative website Mediapart.Multiple lawsuits by alleged victims have been filed against NSO Group including by Facebook over the Israeli firm’s alleged hacking of its WhatsApp application.———Angela Charlton in Paris and Alan Suderman in Richmond, Virginia, contributed reporting.———This story has been updated to correct that Imran Khan is the prime minister of Pakistan, not president.

Macron among 14 heads of states on potential spyware list

Macron among 14 heads of states on potential spyware list

BOSTON — French President Emmanuel Macron leads a list of 14 current or former heads of state who may have been targeted for hacking by clients of the notorious Israeli spyware firm NSO Group, Amnesty International said Tuesday.“The unprecedented revelation … should send a chill down the spine of world leaders,” Amnesty’s secretary general, Agnes Callamard, said in a statement.Among potential targets found on a list of 50,000 phone numbers leaked to Amnesty and the Paris-based journalism nonprofit Forbidden Stories include Presidents Cyril Ramaphosa of South Africa and Barham Salih of Iraq. King Mohammed VI of Morocco and three current prime ministers — Imran Khan of Pakistan, Mustafa Madbouly of Egypt and Saad Eddine El Othmani of Morocco — are also on the list, The Washington Post reported.The Post said none of the heads of state would offer their smartphones for forensic testing that might have detected whether they were infected by NSO’s military-grade Pegasus spyware. Thirty-seven phones identified in the investigation were either breached or shows signs of attempted infection, it has reported.The Post and 16 other members of a global media consortium were granted access to the leaked list. Another member, the French daily Le Monde, determined that 15 members of the French government may have been among potential targets with Macron in 2019.Following first reports by consortium members on Sunday, the Paris prosecutor’s office said it was investigating the suspected widespread use of NSO’s military-grade Pegasus spyware to target journalists, human rights activists and politicians in multiple countries.Also Sunday, Amnesty released a forensic analysis of the alleged targeting that showed Amazon Web Services was hosting NSO infrastructure. In response, Amazon said it shut down NSO accounts that were “confirmed to be supporting the reported hacking activity.” Amazon said the accounts had violated its terms of use.Another U.S. company identified by Amnesty as hosting NSO servers was DigitalOcean. When contacted by The Associated Press, DigitalOcean neither confirmed nor denied whether it had identified or cut off such servers.”All of the infrastructure outlined in the Amnesty report is no longer on DigitalOcean,” it said Tuesday, without elaborating, in an emailed statement.The consortium’s findings significantly widen the scope of alleged abuses in which NSO Group has been implicated since 2016. Those include the surveillance of friends and relatives of journalist Jamal Khashoggi, who was killed inside the Saudi consulate in Istanbul in 2018 — and highlight what critics call the urgent need to regulate global sales of commercial hacking tools.Le Monde said the phone numbers for Macron and the then-government members were among thousands allegedly selected by NSO clients for potential surveillance. In this case, the client was an unidentified Moroccan security service, according to Le Monde.Consortium members said they were able to link more than 1,000 numbers in 50 countries on the list with individuals, including more than 600 politicians and government officials and 189 journalists. The largest share were in Mexico and the Middle East, where Saudi Arabia is reported to be among NSO clients.Also on the list were phone numbers in Azerbaijan, Kazakhstan, Pakistan, Morocco and Rwanda, as well as ones for several Arab royal family members, the consortium reported.An official in Macron’s office said authorities would investigate Le Monde’s report, and if the targeting is proven, it would be “extremely grave.”Le Monde quoted NSO as saying the French president was never targeted by its clients.NSO Group has denied that it ever maintained “a list of potential, past or existing targets.” It called the Forbidden Stories report “full of wrong assumptions and uncorroborated theories.”The source of the leak — and how it was authenticated — has not been disclosed. While a phone number’s presence in the data does not mean an attempt was made to hack a device, the consortium said it was confident the data indicated potential targets of NSO’s government clients.The Paris prosecutor’s office said in a statement Tuesday that it opened an investigation into a raft of potential charges, including violation of privacy, illegal use of data and illegally selling spyware.As is common under French law, the investigation doesn’t name a suspected perpetrator but is aimed at determining who might eventually be sent to trial. It was prompted by a legal complaint by two journalists and French investigative website Mediapart.Multiple lawsuits by alleged victims have been filed against NSO Group including by Facebook over the Israeli firm’s alleged hacking of its WhatsApp application.———Angela Charlton in Paris and Alan Suderman in Richmond, Virginia, contributed reporting.———This story has been updated to correct that Imran Khan is the prime minister of Pakistan, not president.

EXPLAINER: Target list of Israeli hack-for-hire firm widens

EXPLAINER: Target list of Israeli hack-for-hire firm widens

BOSTON — Human rights and press freedom activists are up in arms about a new report on NSO Group, the notorious Israeli hacker-for-hire company. The report, by a global media consortium, expands public knowledge of the target list used in NSO’s military-grade spyware. According to the report, that now not only includes journalists, rights activists and opposition political figures, but also people close to them.The groups have decried the virtual absence of regulation of commercial surveillance tools. If the allegations of widespread targeting by NSO’s Pegasus malware are even partly true, U.N. High Commissioner for Human Rights Michelle Bachelet said in a statement, a “red line has been crossed again and again with total impunity.”Here’s what you need to know about this issue.NSO GROUP HAS LONG BEEN ACCUSED OF UNETHICAL HACKING. WHAT’S NEW?The new investigation, based on leaked data of unspecified origin, builds significantly on previous efforts. Paris-based journalism nonprofit Forbidden Stories and the human rights group Amnesty International obtained the data and say that it people potential targeted for surveillance by NSO’s clients.Journalists from the consortium combed through a list of more than 50,000 cellphone numbers, identifying more than 1,000 individuals in 50 countries. They include 189 journalists, 85 human rights activists and several heads of state. Among the journalists were employees of The Associated Press, Reuters, CNN, The Wall Street Journal, Le Monde and The Financial Times.Amnesty was able to examine the smartphones of 67 individuals on the list, finding evidence of an attempted or successful Pegasus infection on 37. Its investigators found that the phone of Washington Post journalist Jamal Khashoggi’s fiancee, Hatice Cengiz, was infected just four days after he was killed in the Saudi Consulate in Istanbul in 2018. They found Pegasus on the phones of the co-founders of the Indian independent online outlet The Wire and repeat infections on the phones of two Hungarian investigative journalists with the outlet Direkt36.The list of potential targets included Roula Khalaf, the editor of the Financial Times.Fifty people close to Mexico’s president, Andres Manuel Lopez Obrador, were also on the potential target list. They include his wife, children, aides and cardiologist. Lopez Obrador was in opposition at the time. A Mexican reporter whose phone number was added to the list in that time period, Cecilio Pineda, was assassinated in 2017.After Mexico, the largest share of potential targets were in the Middle East, where Saudi Arabia is reported to be among NSO clients. Also on the list were numbers in France, Azerbaijan, Kazakhstan and Pakistan, Morocco and Rwanda.According to the The Committee to Protect Journalists, there are few effective barriers to prevent autocratic governments from using sophisticated surveillance technology to attempt cowing or silencing a free press.WHAT DOES NSO SAY?NSO denies ever maintaining a list of “potential, past or existing targets.” It claims to provide its services only to “vetted government agencies” for use against terrorists and major criminals, and denies any association with Khashoggi’s murder. But the company does not disclose its clients and claims it has ”no visibility” into the data. Security researchers who have studied NSO’s activity contest that claim, saying the company directly manages the high-tech spying.There is no doubt that the NSO software deployment creates various logs and other data that the company can access, said John Scott-Railton, a researcher with Citizen Lab, the University of Toronto-based watchdog that has been tracking Pegasus abuses since 2016.Amnesty has not identified the source of the leak or how the data was authenticated to protect the safety of its source. Citizen Lab vetted Amnesty’s methodology for confirming Pegasus’ infections and deemed it sound. Scott-Railton said he had no doubt the leaked data “contains intent to target.”A phone number’s presence in the data does not necessarily mean an attempt was made to hack a device, said Amnesty, which found Pegasus infection traces on the cellphones of 15 journalists on the list.Amnesty says the malware is so effective that it can hack even the latest models of Apple’s iPhone operating system, going undetected as it vacuums up personal and location data and seizes control of device microphones and cameras. In a statement, Apple head of security engineering Ivan Krstić did not directly address Amnesty’s claim, instead emphasizing the rarity of such targeted attacks and the company’s dedication to the security of its users.DOES ISRAEL CONDONE THIS ACTIVITY?Asked about its approvals of NSO’s exports, Israel’s Defense Ministry said in a statement that it “approves the export of cyber products exclusively to governmental entities, for lawful use, and only for the purpose of preventing and investigating crime and counter terrorism.” It said national security and strategic considerations are taken into account.Last year, an Israeli court dismissed an Amnesty lawsuit seeking to strip NSO of its export license, citing insufficient evidence.Citizen Lab and Amnesty have since 2016 primarily documented NSO targeting of rights activists, dissidents and journalists including dozens of Al-Jazeera employees. But the new list significantly widens the scope of potential targets to include members of Arab royal families, diplomats and business executives, according to the consortium, which includes The Washington Post, The Guardian, Le Monde and Sueddeutsche Zeitung.CAN ANYONE BE TARGETED? HOW CAN INFECTION BE THWARTED?No one not involved in sensitive information-gathering outside the U.S. needs to worry much. Customers of NSO Group’s malware and other commercial surveillance tools typically focus on high-profile targets.But those in NSO’s crosshairs may not be able to avoid infection. Its methods of infection often don’t require user interaction, such as clicking on a link in a text message.One such “zero-click” option exploited a flaw in WhatsApp, the popular encrypted mobile-messaging service. WhatsApp and its parent company Facebook sued NSO in San Francisco federal court in 2019.The WhatsApp suit accuses NSO Group of targeting some 1,400 WhatsApp users. Until this week, that was the largest number of potential targets of the Israeli company’s spyware amassed in one place.——AP correspondents Josef Federman in Jerusalem and Geir Moulsen in Berlin contributed to this report.

Probe: Journalists, activists among firm's spyware targets

Probe: Journalists, activists among firm's spyware targets

BOSTON — An investigation by a global media consortium based on leaked targeting data provides further evidence that military-grade malware from Israel-based NSO Group, the world’s most infamous hacker-for-hire outfit, is being used to spy on journalists, human rights activists and political dissidents.From a list of more than 50,000 cellphone numbers obtained by the Paris-based journalism nonprofit Forbidden Stories and the human rights group Amnesty International and shared with 16 news organizations, journalists were able to identify more than 1,000 individuals in 50 countries who were allegedly selected by NSO clients for potential surveillance.They include 189 journalists, more than 600 politicians and government officials, at least 65 business executives, 85 human rights activists and several heads of state, according to The Washington Post, a consortium member. The journalists work for organizations including The Associated Press, Reuters, CNN, The Wall Street Journal, Le Monde and The Financial Times.Amnesty also reported that its forensic researchers had determined that NSO Group’s flagship Pegasus spyware was successfully installed on the phone of Post journalist Jamal Khashoggi’s fiancee, Hatice Cengiz, just four days after he was killed in the Saudi Consulate in Istanbul in 2018. The company had previously been implicated in other spying on Khashoggi.NSO Group denied in an emailed statement that the data on which the report was based was leaked from its servers “since such data never existed on any of our servers.” It called the Forbidden Stories report “full of wrong assumptions and uncorroborated theories.”The company reiterated its claim that it only sells to governments for use against terrorists and major criminals. Critics call those claims dishonest and say repeated abuse of Pegasus spyware highlights the nearly complete lack of regulation of the private global surveillance industry.The source of the leak — and how it was authenticated — was not disclosed. While a phone number’s presence in the data does not mean an attempt was made to hack a device, the consortium said it believed the data represented potential targets of NSO’s government clients. The Post said it identified 37 hacked smartphones on the list. The Guardian, another consortium member, reported that Amnesty had found traces of Pegasus infections on the cellphones of 15 journalist s who let their phones be examined after discovering their number was in the leaked data.The most numbers on the list, 15,000, were for Mexican phones, with a large share in the Middle East. NSO Group’s spyware has been implicated in targeted surveillance chiefly in the Middle East and Mexico. Saudi Arabia is reported to be among NSO clients. Also on the lists were phones in countries including France, Hungary, India, Azerbaijan, Kazakhstan and Pakistan.“The number of journalists identified as targets vividly illustrates how Pegasus is used as a tool to intimidate critical media. It is about controlling public narrative, resisting scrutiny, and suppressing any dissenting voice,” Amnesty quoted its secretary-general, Agnes Callamard, as saying.AP’s director of media relations, Lauren Easton, said the company is “deeply troubled to learn that two AP journalists, along with journalists from many news organizations, are among those who may have been targeted by Pegasus spyware.” She said the AP has taken steps to ensure the security of its journalists’ devices and is investigating.The consortium’s findings build on extensive work by cybersecurity researchers, primarily from the University of Toronto-based watchdog Citizen Lab. NSO targets identified by researchers beginning in 2016 include dozens of Al-Jazeera journalists and executives, New York Times Beirut bureau chief Ben Hubbard, Moroccan journalist and activist Omar Radi and prominent Mexican anti-corruption reporter Carmen Aristegui. Her phone number was on the list, the Post reported.Among more than two dozen previously documented Mexican targets are proponents of a soda tax, opposition politicians, human rights activists investigating a mass disappearance and the widow of a slain journalist. In the Middle East, the victims have mostly been journalists and dissidents, allegedly targeted by the Saudi and United Arab Emirates governments.The consortium’s “Pegasus Project” reporting bolsters accusations that not just autocratic regimes but democratic governments, including India and Mexico, have used NSO Group’s Pegasus spyware for political ends. Its members, who include Le Monde and Sueddeutsche Zeitung of Germany, are promising a series of stories based on the leak.Pegasus infiltrates phones to vacuum up personal and location data and surreptitiously control the smartphone’s microphones and cameras. In the case of journalists, that lets hackers spy on reporters’ communications with sources.The program is designed to bypass detection and mask its activity. NSO Group’s methods to infect its victims have grown so sophisticated that researchers say it can now do so without any user interaction, the so-called “zero-click’ option.In 2019, WhatsApp and its parent company Facebook sued NSO Group in U.S. federal court in San Francisco, accusing it of exploiting a flaw in the popular encrypted messaging service to target – with missed calls alone — some 1,400 users. NSO Group denies the accusations.The Israeli company was sued the previous year in Israel and Cyprus, both countries from which it exports products. The plaintiffs include Al-Jazeera journalists, as well as other Qatari, Mexican and Saudi journalists and activists who say the company’s spyware was used to hack them.Several of the suits draw heavily on leaked material provided to Abdullah Al-Athbah, editor of the Qatari newspaper Al-Arab and one of the alleged victims. The material appears to show officials in the United Arab Emirates discussing whether to hack into the phones of senior figures in Saudi Arabia and Qatar, including members of the Qatari royal family.NSO Group does not disclose its clients and says it sells its technology to Israeli-approved governments to help them target terrorists and break up pedophile rings and sex- and drug-trafficking rings. It says its spyware is neither designed nor licensed for use against human rights activists or journalists. It says it has helped save thousands of lives in recent years. It denies its technology was in any way associated with Khashoggi’s murder.NSO Group also denies involvement in elaborate undercover operations uncovered by The AP in 2019 in which shadowy operatives targeted NSO critics including a Citizen Lab researcher to try to discredit them.Last year, an Israeli court dismissed an Amnesty International lawsuit seeking to strip NSO of its export license, citing insufficient evidence.Amnesty spokesman Gil Naveh said of the company: “They are the most dangerous cyber weapon that we know of, and they’re not being properly overseen.”NSO Group is far from the only merchant of commercial spyware. But its behavior has drawn the most attention, and critics say that is with good reason.Last month, it published its first transparency report, in which it says it has rejected “more than $300 million in sales opportunities as a result of its human rights review processes.” Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation and a strident critic, tweeted: “If this report was printed, it would not be worth the paper it was printed on.”A new, interactive online data platform created by the group Forensic Architecture with support from Citizen Lab and Amnesty International catalogs NSO Group’s activities by country and target. The group partnered with filmmaker Laura Poitras, best known for her 2014 documentary “Citzenfour” about NSA whistleblower Edward Snowden, who offers video narrations.Since 2019, the U.K. private equity firm Novalpina Capital has controlled a majority stake in NSO Group. Earlier this year, Israeli media reported the company was considering an initial public offering, most likely on the Tel Aviv Stock Exchange.

$10 million rewards bolster White House anti-ransomware bid

$10 million rewards bolster White House anti-ransomware bid

The State Department will offer rewards up to $10 million for information leading to the identification of anyone engaged in foreign state-sanctioned malicious cyber activity against critical U.S. infrastructure, including ransomware attacksBy FRANK BAJAK AP Technology WriterJuly 15, 2021, 12:01 PM• 3 min readShare to FacebookShare to TwitterEmail this articleBOSTON — The State Department will offer rewards up to $10 million for information leading to the identification of anyone engaged in foreign state-sanctioned malicious cyber activity against critical U.S. infrastructure — including ransomware attacks — and the White House has launched a task force to coordinate efforts to stem the ransomware scourge.The Biden administration is also launching the website stopransomware.gov to offer the public resources for countering the threat and building more resilience into networks, a senior administration official told reporters.Another measure being announced Thursday to combat the ransomware onslaught is from the Financial Crimes Enforcement Network at the Treasury Department. It will engage banks, technology firms and others on better anti-money-laundering efforts for cryptocurrency and more rapid tracing of ransomware proceeds, which are paid in virtual currency.Officials are hoping to seize more extortion payments in ransomware cases, as the FBI did in recouping most of the $4.4 million ransom paid by Colonial Pipeline in May.The rewards are being offered under the State Department’s Rewards for Justice program. It will offer a tips-reporting mechanism on the dark web to protect sources who might identify cyber attackers and/or their locations, and reward payments may include cryptocurrency, the agency said in a statement.The administration official would not comment on whether the U.S. government had a hand in Tuesday’s online disappearance of REvil, the Russian-linked gang responsible for a July 2 supply chain ransomware attack that crippled well over 1,000 organizations globally by targeting Florida-based software provider Kaseya. Ransomware scrambles entire networks of data, which criminals unlock when they get paid.Cybersecurity experts say REvil may have decided to drop out of sight and rebrand under a new name, as it and several other ransomware gangs have done in the past to try to throw off law enforcement.Another possibility is that Russian President Vladimir Putin actually heeded President Joe Biden’s warning of repercussions if he didn’t rein in ransomware criminals, who enjoy safe harbor in Russia and allied states.That seemed improbable, however, given Kremlin spokesman Dmitry Peskov’s statement to reporters Wednesday that he was unaware of REvil sites disappearing.”I don’t know which group disappeared where,” he said. He said the Kremlin deems cybercrimes “unacceptable” and meriting of punishment, but analysts say they have seen no evidence of a crackdown by Putin.———Associated Press writer Daria Litvinova in Moscow contributed to this report.

Number of victims in major ransomware attack still unclear

Number of victims in major ransomware attack still unclear

The company whose software was exploited in the biggest ransomware attack on record said Tuesday that so far it appears fewer than 1,500 businesses were compromised. But cybersecurity experts suspect the estimate is low and note that victims are still being identified.A couple examples of the impact the attack has had in the at least 17 countries affected: the weekend shuttering most of the 800 supermarkets in the Swedish Coop chain because the malware crippled their cash registers, and the reported knocking offline o f more than 100 New Zealand kindergartens.Miami-based Kaseya said that it believes only about 800 to 1,500 of the estimated 800,000 to 1,000,000 mostly small business end-users of its software were affected. They are customers of companies that use Kaseya’s virtual system administrator, or VSA, product to fully manage their IT infrastructure.The statement was widely reported after the White House shared it with media outlets.Cybersecurity experts said, however, it is too early for Kaseya to know the true impact of Friday’s attack. They note that because it was launched by the Russia-linked REvil gang on the eve of the Fourth of July holiday weekend in the U.S., many targets may only be discovering it upon returning to work Tuesday.Ransomware criminals infiltrate networks and sow malware that cripples them by scrambling all their data. Victims get a decoder key when they pay up. Most ransomware victims don’t publicly report attacks or disclose if they’ve paid ransoms. In the U.S, disclosure of a breach is required by state laws when personal data that can be used in identity theft is stolen. Federal law mandates it when healthcare records are exposed.Unlike many ransomware attacks, the criminals in this one apparently had no time to steal data before locking up networks. They are demanding up to $5 million for bigger victims, and $45,000 for small ones.And in what many researchers considered a PR stunt, REvil is offering on its site on the dark web to release a universal software decoder to free all victims in exchange for a lump sum payment of $70 million. It did not say who it expected to pay. The criminals claim to have infected a million systems.Most of the more than 60 Kaseya customers that company spokeswoman Dana Liedholm said were affected are managed service providers (MSPs), with multiple customers downstream.”Given the relationship between Kaseya and MSPs, it’s not clear how Kaseya would know the number of victims impacted. There is no way the numbers are as low as Kaseya is claiming though,” said Jake Williams, chief technical officer of the cybersecurity firm BreachQuest.The hacked VSA tool remotely maintains customer networks, automating security and other software updates. Essentially, a product designed to protect networks from malware was cleverly used to distribute it.“It’s too soon to tell, since this entire incident is still under investigation,” said the cybersecurity firm Sophos, which has been tracking the incident closely. It and other cybersecurity outfits questioned whether Kaseya had visibility into the crippled managed service providers.In an interview with The Associated Press on Sunday, Kaseya CEO Fred Voccola estimated the number of victims in “the low thousands.” The German news agency dpa reported earlier Sunday an unnamed German IT services company told authorities several thousand of its customers were compromised. Also among reported victims were two Dutch IT services companies.A broad array of businesses and public agencies were hit by the latest attack, apparently on all continents, including in financial services, travel and leisure and the public sector — though few large companies, Sophos said.Liedholm, the Kaseya spokeswoman, said the vast majority of the company’s 37,000 customers were unaffected and said the company expects to release a patch Wednesday.The attackers, previously best known for extorting $11 million from the meat-processing giant JBS after crippling its Australian and New Zealand plants on Memorial Day, broke into at least one Kaseya server after identifying a “zero day” vulnerability, cybersecurity researchers said.Dutch vulnerability researchers said they alerted Kaseya to a number of “severe vulnerabilities” ahead of the attack.“We think they have been responsible in the way they responded to our disclosure and we actually have seen them reacting diligently,” said Frank Breedijk of the Dutch Institute for Vulnerability Disclosure. “Unfortunately, too late. The malware gang beat us in the end sprint.”Neither Breedijk nor Kaseya would say when the Dutch researchers alerted the company to exploited vulnerabilities.President Joe Biden said Saturday that he ordered a “deep dive” by U.S. intelligence into the attack and that the U.S. would respond if it determines the Kremlin is involved. Moscow gives REvil and other ransomware gangs safe haven as long as they refrain from domestic attacks. Biden asked Vladimir Putin in Geneva last month to put and end to that but there is no indication the Russian president has moved to do so.Analysts say the chaos ransomware criminals have wrought in the past year — hitting hospitals, schools, local governments and other targets at the rate of about one every eight minutes — serves Putin’s strategic agenda of destabilizing the West.The cybersecurity company Mandiant was leading the response to the Kaseya crisis, coordinating with the Cybsecurity and Infrastructure Security Agency, Kaseya said.On Saturday, the FBI said in a statement that the attack’s scale “may make it so that we are unable to respond to each victim individually.” The next day, the White House urged all victims to notify the FBI.Federal lawmakers are working on bipartisan legislation to make the reporting of ransomware attacks mandatory in the case of critical infrastructure, with government officials deciding whether to make details public.

Page 1 of 212