The group of Russian hackers who have claimed responsibility for what is being called the biggest ransomware attack ever have demanded $70 million to unlock computers affected by the breach.
The REvil group made the demand late Sunday, offering in a posting on its dark web site a universal decryptor software key that would unscramble all affected machines in exchange for $70 million in cryptocurrency.
But Reuters reported that the hackers have “indicated a willingness to temper their demands in private conversations” with a cybersecurity expert and the news agency.
“We are always ready to negotiate,” a REvil representative told Reuters.
The ransomware attack targeted a virtual systems/server administrator (VSA) that software vendor Kaseya supplies to IT providers. Those customers typically handle back-office work for companies too small or modestly resourced to have their own tech departments.
Kaseya said the hack affected between 800 and 1,500 businesses, most of them customers of its customers.
“Although most of those affected have been small concerns — like dentists’ offices or accountants — the disruption has been felt more keenly in Sweden, where hundreds of supermarkets had to close because their cash registers were inoperative,” Reuters said.
REvil locked each victim computer as a standalone target and initially asked $45,000 to unlock each specific device. Allan Liska, an analyst at the cybersecurity firm Recorded Future, said it was extremely difficult to imagine victims banding together to jointly pay $70 million.
“Despite the braggadocio in their note, I actually think it is actually a sign they are overwhelmed,” he told NBC News.
The REvil hack has similarities to the SolarWinds “supply chain” breach last year, which also exploited a flaw in a common product or service used widely across the internet to rapidly hack scores of victims before the compromises were detected.
Kaseya’s customers use its VSA to manage and send out software updates to systems on computer networks. “Supply-chain attacks like the one involving Kaseya have long been a concern for cybersecurity professionals, even more so after last year’s so-called SolarWinds hack,” The Wall Street Journal said.