But the Russian-linked cybercrime gang may have bitten off more than they can chew.
Hackers suspected to be behind a mass extortion attack that affected hundreds of companies worldwide late on Sunday demanded $70 million to restore the data they are holding ransom, according to reporting by Reuters.
The demand was posted on a blog typically used by the REvil cybercrime gang, a ramsomware group with suspected ties to Russia. The gang has been dominating the global ransomware scene lately.
REvil has an affiliate structure, which makes it difficult to determine who speaks on the hackers’ behalf. But Allan Liska of cybersecurity firm Recorded Future told Reuters that the message “almost certainly” came from REvil’s core leadership.
The group has not responded to an attempt by Reuters to reach it for comment.
A global attack on multiple countries and industries
REvil’s ransomware attack, which the group executed on July 2, was among the most dramatic in a series of increasingly attention-grabbing hacks.
The gang broke into Kaseya, a Miami-based information technology firm, and used their access to breach some of its clients’ clients, setting off a chain reaction that quickly paralyzed the computers of hundreds of firms worldwide.
An executive at Kaseya said the company was aware of the ransom demand but did not immediately return further messages seeking comment.
The attack targeted about a dozen different countries, according to research published by cybersecurity firm ESET.
In at least one case, the disruption spilled out into the public domain. Swedish Coop grocery store chain had to close hundreds of stores because its cash registers went offline as a consequence of the attack.
Attackers this time deviated from their standard operating procedure
Those hit included schools, small public-sector bodies, travel and leisure organizations, credit unions and accountants, said Ross McKerchar, chief information security officer at Sophos Group Plc.
McKerchar’s company was one of several that had blamed REvil for the attack, but Sunday’s statement was the group’s first public acknowledgement that it was behind the campaign.
Ransom-seeking hackers usually focus their attacks against single, high-value targets like Brazilian meatpacker JBS, whose production REvil disrupted last month. JBS said it ended up paying the hackers $11 million.
Liska said he believed the hackers had bitten off more than they could chew by scrambling the data of hundreds of companies at a time and that the $70 million demand was an effort to make the best of an awkward situation.
“For all of their big talk on their blog, I think this got way out of hand,” he said.