Notorious ransomware group REvil is demanding $70 million in bitcoin from more than 200 US firms as quid pro quo for a decrypter for all infected systems.

On Saturday, ABC News Australia reported that REvil had struck once again, this time targeting the vulnerabilities of software company Kaseya. The group spread ransomware through the cloud via the company’s network-management package. 

Speaking through a post taken from dark web blog site Happy Blog, REvil reported they had infected “a million systems” with the ransomware.

REvil is a group of cybercriminals that offer ransomware as a service (RaaS). They provide clients with encryptors and decryptors and a leak site for publishing compromised data should victims refuse to pay the ransom. They take a percentage of the ransom money as a service fee.

Targeting Kaseya

The attack specifically targeted Managed Service Providers (MSPs) of American software company Kaseya. Initial reports suggest that the hacker group exploited a weakness in Kaseya’s update system used for remote management or VSA. 

The ransomware was reportedly deployed through the tool’s patch management functionality. The group also reset admin access, securing total control over compromised systems.

Upon learning the breach, Kaseya shut down their software as a service (SaaS) server and informed their clientele to deactivate on-premise VSA servers.

REvil’s attacks, so far

This is not the first and probably won’t be the last ransomware attack by REvil. In sum, it has claimed responsibility for over 19 breaches beginning in 2019. Worse, the group has successfully coerced payments from its victims.

Colonial Pipeline was forced to pay $5 million in ransom after REvil compromised its systems, resulting in a gas crisis in the U.S. Meanwhile, on May 30, the group hacked meat giant JBS Holdings and successfully received an $11 million ransom.

As a result of this series of these cyberattacks, President Joe Biden has ordered US intelligence to probe the attacks, specifically if Russia was behind it.

Cybersecurity firm Sophos is investigating the recent Kaseya attack, which they view as a supply chain distribution attack. Experts at Sophos believe that REvil is targeting MSPs for their delivery method in order to strike as many and as diverse businesses as possible, all at once. 

Groups like REvil are constantly evolving their methods to make their hits more lucrative or to do the worst possible damage. They steal data, credentials, and proprietary information to leverage a ransom and threaten to release stolen data through a leak site in a double extortion tactic.