According to a post on a dark website, the hacker suspected of being behind the large-scale ransomware attack demanded $70 million to recover data.
The request was posted late on Sunday night on the website commonly used by the REvil cybercriminal group, which is associated with Russia and is one of the most prolific blackmailers in the cybercrime world.
The group has an affiliate structure and it is sometimes difficult to determine who will speak on behalf of the hackers, but Allan Liska of the network security company Recorded Future said that the news is “almost certainly” from REvil’s core leadership.
The organization has not yet responded to Reuters’ attempts to contact it for comment.
The REvil ransomware attack carried out by the organization on Friday is one of the most high-profile attacks in a series of increasingly high-profile hacking attacks.
The gang broke into the Miami-based information technology company Kaseya and used their access rights to destroy some of its customers’ customers, triggering a chain reaction and quickly paralyzing the computers of hundreds of companies around the world.
Cyber security experts quickly blamed REvil for the attack. Sunday’s statement was the first time the organization publicly admitted its support for it.
A Kaseya executive said that the company was aware of the ransom demand but did not immediately respond to messages seeking further comment.
Liska said he believes hackers have bitten something they cannot chew.
“For all their important conversations on the blog, I think it’s out of control, and it’s much bigger than they expected,” he said.
‘out of control’
The ransomware attack is one of the largest attacks in history, spreading across the world on Saturday. In one example of its impact, it forced the Swedish Coop grocery chain to close all of its 800 stores because it was unable to operate cash registers.
This attack hijacked Kaseya’s desktop management tool VSA and pushed a malicious update, infecting technology management providers that serve thousands of enterprises.
Security company Huntress Labs was one of the first companies to alert supplier customers to the wave of infections, saying on Saturday that thousands of small companies may have been hit.
Kaseya, based in Miami, said it is working with the FBI and only about 40 customers are directly affected. It did not comment on how many of them are providers that spread malware to others.
In a statement late on Saturday, the FBI said it was coordinating the investigation with the U.S. Cybersecurity and Infrastructure Security Agency.
“We encourage all those who may be affected to adopt the recommended mitigation measures, and encourage users to immediately shut down the VSA server following Kaseya’s guidance,” the agency said.
The affected companies encrypted the files and left electronic messages demanding ransoms of thousands or millions of dollars.
‘tip of the iceberg’
Some experts said that the attack occurred on the Friday before the long weekend in the United States, with the aim of spreading as soon as employees leave work.
“The victims we are seeing may be just the tip of the iceberg,” said Adam Meyers, senior vice president of security company CrowdStrike.
President Joe Biden said on Saturday that he has instructed US intelligence agencies to investigate the behind-the-scenes man behind the attack.
According to Coop, one of Sweden’s largest grocery chains, the tool used to remotely update its cash register was affected by the attack, making it impossible to make payments.
Coop spokesperson Therese Knapp told Swedish TV: “We have been troubleshooting and recovering all night, but we have already stated that we need to close the store today.”
According to the Swedish news agency TT, the Kaseya technology is used by the Swedish company Visma Esscom, which manages servers and equipment for many Swedish companies.
The national railway service and a chain of pharmacies were also disrupted.
“They have been hit to varying degrees,” Fabian Mogren, CEO of Visma Esscom, told TT.
Defense Minister Peter Hultqvist told Swedish television that the attack was “very dangerous” and showed how companies and state institutions need to improve their preparations.
“Under different geopolitical situations, it may be government actors attacking us in this way to shut down society and create chaos,” he said.