On July 2, as U.S. offices prepared to close down for the long weekend in celebration of July 4, businesses around the world were hit by the single biggest ransomware attack on record. A cybercriminal group, REvil, is demanding $50 million to restore victims’ data, after using a one-two-three punch of a zero-day vulnerability, a supply chain hack, and a ransomware encryption program. While recovery is underway for an estimated 1,500 affected businesses, the real test is still to come: whether Russia will take action against a ransomware group that uses its territory as a safe haven and, if not, whether the Biden administration will follow through on tougher rhetoric about retaliation. In a press conference on Tuesday, July 6, White House press secretary Jen Psaki reinforced that rhetoric, saying, “if the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own.”
Q1: What happened and who are the victims?
A1: The attack on July 2 targeted Kaseya, a U.S. company whose software manages networks, systems, and information technology (IT) infrastructure. Kaseya sells software tools to IT providers, who in turn service large and small businesses globally. Current estimates from Kaseya place the number of downstream businesses affected by the hack between 800 and 1,500—potentially the largest number of victims of a single ransomware attack so far. Kaseya CEO Fred Voccola said in an interview on July 6 that only 50 to 60 of the company’s 37,000 customers were compromised, while REvil brags that more than a million individual devices have been affected. Security firm ESET said it knows of victims across 17 countries. With investigations only just underway, it is still too early to tell the true scale of the attack, though some fear tens of thousands of victims may have been infected with ransomware. Businesses affected include pharmacies, gas stations, railways, dental practices, architecture firms, schools, plastic surgery centers, and libraries.
One victim of the attack experiencing tangible disruptions is the Coop supermarket chain in Sweden, which had to close down 800 stores on July 3 because of compromised cash registers. While many Coop stores have since been able to reopen using workarounds, getting systems fully back online could take weeks and cause serious losses in revenue for the company.
The ransom demands from REvil fluctuated over the holiday weekend, with initial reports suggesting the group was demanding $45,000 from smaller businesses and $5 million from larger organizations. On July 3, the criminal group also offered for the price of $70 million a “universal decryptor” it claims would unlock all affected devices. When a researcher at cybersecurity consulting firm Krebs Stamos Group reached out to the hackers to inquire about the offer, REvil lowered the cost to $50 million. Regardless of the price, the breadth and potential cost—both in ransom payments and in lost business revenue—of this attack might be unprecedented.
Q2: How did this attack happen?
A2: Various cybersecurity firms have pieced together how REvil compromised Kaseya’s software. According to a report released by IT security company Sophos, the hackers used a zero-day exploit (an industry term describing a previously unknown security flaw) to insert malicious code in a Kaseya software update. On July 4, a Dutch research group revealed it had previously discovered and disclosed the vulnerability to Kaseya, who was working to validate a patch for the issue when the hack occurred. If true, that aspect of the story could provide an interesting twist on how REvil initially discovered the vulnerability.
The use of a software update to deliver malware is a standard ploy most recently used in the SolarWinds hack reported in December 2020. In this case, the function affected was Kaseya’s Virtual System Administrator (VSA) remote management service, which performs several vital software tasks. The VSA tool is also exempt from anti-malware protections because those protections sometimes interfere with key functions of the application. That exemption gave REvil the access it needed to disable tools such as Microsoft Defender and quietly deploy its corrupted update.
Ironically, Kaseya’s software is frequently used to defend against and recover from breaches such as the July 2 hack. By exploiting the popular security software and inhibiting a means of recovery, the attackers demonstrated a clever choice of targeting. The same can be said for their choice of timing; they launched the attack on the Friday of a holiday weekend, striking while IT staffing would be low to nonexistent. Overall, the attack was a sophisticated exploit of a trusted supply chain that demonstrated a high level of skill and attention to detail from aggressive cybercriminals.
Q3: What does this mean for cybersecurity in general and for individuals in particular?
A3: Realistically, the average person will not feel any ill effects from this attack, unless they live in Sweden and tried to go grocery shopping this weekend or if they are a kindergartner in New Zealand. However, Americans, Swedes, and anyone who lives in a computer-dependent society should be eyeing both the event and the government response warily. Paid ransoms in the past coupled with limited to no consequences for the criminals involved have only encouraged bigger and bolder attacks. In a way, this hack represents a leap forward for cybercrime. The July 2 breach was an order of magnitude bigger because of the infected supply chain aspect—one vulnerability cascaded into more than a thousand victims. If this operation secures even a fraction of the $50 million ransom, other attackers have every incentive to keep stacking the price tag higher. These costs, whether paid out of company coffers or via insurance companies, are ultimately passed on to the consumers.
Indeed, consumers should be demanding better protection. Software consumers should demand that software vendors prove they have built to high security standards from the outset and that the software as a service (SaaS) deployed has been extensively tested. The May 2021 cybersecurity executive order creates new requirements for certifying secure software development and cyber best practices for anyone hoping to land a government contract and tasks the National Institute of Standards and Technology (NIST) to expand or develop such standards. Americans who interact with computers (i.e., essentially everyone) should write their congressmember and demand that companies with comprehensive ransomware recovery plans receive tax credits. Insurance companies more generally should rethink the role they play in the ransomware ecosystem and what sorts of moral hazards they are creating by reimbursing for ransom payments. The White House needs to move quickly on a comprehensive response to ransomware that includes cooperation with allies, punitive measures, and restrictions on payments.
Q4: Who was responsible for the attack?
A4: Early speculation that well-known cybercriminal group REvil was behind the July 2 attack was confirmed late on July 4 when the group posted its initial demand for $70 million to an associated dark-web blog. REvil (also known as Sodinokibi) has carried out a number of prominent attacks since forming in May 2020. The FBI identified them as the group behind a ransomware attack against global meat processor JBS in May 2021.
REvil is a RaaS (ransomware as a service) operation. Much like the model it parodies—software as a service—RaaS involves criminal organizations such as REvil leasing out their expertise and infrastructure to other criminals. Such ransomware groups are known to offer 24/7 technical support, subscription models, affiliate schemes, and online forums, just like legitimate online companies.
While White House press secretary Jen Psaki said on July 6 that the U.S. intelligence community had not officially attributed the attack, it is highly likely the group is based in Russia, with affiliate organizations worldwide. They speak Russian and they avoid targeting Russian organizations or those based in the former Soviet Union. Further, they have been allowed to operate with impunity, as long as they focus on companies in the West. These are implicit rules imposed by the Russian government on hackers and are strong signs REvil is based in Russia.
Q5: What does this cyberattack mean for U.S.-Russia relations?
A5: This is another critical moment for U.S. policy and for the credibility of the Biden administration. Russia has been the source of many of the high-profile cyberattacks affecting U.S. entities in just the past year, including JBS, Colonial Pipeline, a brute force global cyber campaign, a spearfishing operation exploiting USAID, and SolarWinds, to name a few. After Colonial Pipeline, Biden took a tentative step toward confronting Russia, saying, “Russia has some responsibility to deal with this.” He escalated that rhetoric after his first face-to-face meeting with Putin in Geneva on June 16: “The principle is one thing. It needs to be backed up by practice. Responsible countries need to take action against criminals who conduct ransomware activities on their territory.” This mirrors the language of UN norms that Russia has already agreed to twice.
It is now time to follow up on that or risk losing credibility that the two previous administrations already damaged in Moscow. There are several decision trees to climb, and climb quickly.
First, the national security establishment needs to take further action to hold Moscow accountable. The New York Times definitively called REvil “Russian-based,” and CNBC said the group is “believed to be based in a former Soviet state.” Marc Bleicher of Arete Incident Response in late April said, “we know they are protected most likely by Russian intelligence or the Russian government.” While these assertions are a long way from the U.S. intelligence community concluding that the group is resident in Russia, a mounting pile of evidence is leaving less room for doubt. Russia has repeatedly made commitments (most recently in May) and has obligations under international law and norms to take action to root out the criminals, even if it did not direct the group’s actions. Although Russia will likely deny responsibility with or without compelling evidence, in this case, moderate certainty will do—the key is to deliver the message that the United States will act.
Second, the Biden administration needs to decide what level of response against REvil from Moscow would be sufficient, and they need to communicate that expectation to Russian leadership. The Russian legal system is far from fair, so calling for arrests seems to endorse a politicized system. A better strategy would be the United States demanding seizure of any REvil assets and return of all ransom payments. Ideally, Washington would indict and request extradition of the cybercriminals, but Russian policy is to decline all U.S. extradition requests. Ultimately, the real proof of action in Moscow will be a decline in ransomware attacks coming out of Russia.
Third, in the likely scenario that a Russian response is lacking, the United States needs to be ready to enact its own solution. Retrieving some of the paid ransom in the case of Colonial Pipeline was both bold and appropriate; the United States should be ready to do that and more in the current scenario. The United States should also impose a cost on the Russian government for their inaction. For now, that cost should be fairly light. While many people’s long weekend was ruined, extensive and lasting damage does not yet seem certain—that is unless you own a Coop grocery store in Sweden. Options at the high end could include a “loud” cyber intrusion into a public-facing part of one of Russia’s security services, designed to make noise but not do any damage. Other options include U.S. law enforcement actions against REvil outside of Russian jurisdiction or collective diplomatic and law enforcement actions taken with European allies. Policymakers should not necessarily confine responses to the cyber domain either. Many EU member states would join in actions condemning Russia at the Organization for Security and Co-operation in Europe or perhaps the United Nations.
When the Obama administration equivocated in response to Russian aggression in Ukraine, Moscow learned that it could operate with relative impunity. The Biden administration cannot make the same mistake. This ransomware attack hardly rises to the same level as those transgressions, but this is nonetheless a test of the administration’s will to follow through. The United States should be clear in its calculation, bold in the rapidity of its response, and decisive in demonstrating that its rhetoric is not empty, but backed up by action.
Emily Harding is deputy director and senior fellow with the International Security Program at the Center for Strategic and International Studies (CSIS) in Washington, D.C. Riley McCabe is a research assistant with the CSIS International Security Program. James Andrew Lewis is a senior vice president and director of the CSIS Strategic Technologies Program.
Critical Questions is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2021 by the Center for Strategic and International Studies. All rights reserved.
