Ransomware Group REvil Demands $70 Million in Bitcoin to Restore Victims’ Data

A few days after initiating a widespread supply-chain ransomware attack, notorious ransomware operation, Sodinokibi, popularly known as REvil, has demanded a payment of $70 million in bitcoin to decrypt the ransomware.

The ransomware group made their demands known via their dark web data leak site saying:

” On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour.”

The Kaseya Attack

REvil had launched its global ransomware attack through the US-based software firm, Kaseya VSC on Friday. Kaseya is a cloud-based IT management and remote monitoring solution for managed service providers (MSPs).

This attack is allegedly regarded as the largest ransomware attack on record, affecting up to 1 million companies in at least 17 different countries from various continents.

REvil was able to complete this attack by taking advantage of the zero-day vulnerabilities on Kaseya’s VSA software. 

The attack had directly affected just a few of Kaseya’s clients but the secondary implications had crippled the systems of several companies in over 17 countries, including the UK, Mexico, South Africa, Germany, Indonesia, Canada, and more, who used Kaseya’s hacked VSA to manage their customers.

A Swedish grocery chain, Coop, was compelled to close all 800 of its stores on Sunday because of the hack. Sweden’s national rail operator and public broadcaster SVT were also affected.

An anonymous IT services firm in Germany revealed that thousands of its customers’ data were compromised.

Additionally, two top Dutch IT services firms, VelzArt and Hoppenbrouwer Techniek, were among the reported victims.

It is difficult to calculate the exact number of businesses affected as most of the victims are allegedly small to medium-sized firms who have little resources to publicly announce that they were affected.

REvil’s Negotiations

Shortly after they launched the ransomware, REvil had been negotiating ransoms of up to $5 million with each of the affected firms.

However, it had resorted to offering blanket decryption for all systems affected, which according to a cybersecurity firm analyst, Allan Liska, is due to its “inability to cope with the sheer quantity of affected networks.”

Liska added,

“This attack is a lot bigger than they expected and it is getting a lot of attention. It is in REvil’s interest to end it quickly. This is a nightmare to manage.”

Another analyst, Brett Callow, pointed out that REvil might be expecting insurers to “crunch the numbers and determine the $70 million will be cheaper for them than extended downtime.”

In September last year, REvil had pledged over $1 million in bitcoin to recruit more hackers for its group.