Tech

Ransomware Hackers May Be in Over Their Heads. They May Not Even Get Paid.

TOO MUCH

The Russian-speaking gang that’s broken into thousands of companies is starting to offer discounts on their extortion demands, in what experts say is likely desperation.

210706-ransomeware-tease_nnvn4i
Michael Borgers

The Russian-speaking gang that set off a chain reaction of ransomware attacks around the globe last Friday might be in a little over its head, experts tell The Daily Beast.

The hackers, known as the REVil ransomware gang, went after Kaseya, a firm which sells software to other companies. By infiltrating Kaseya’s customers—many of which are IT providers—the hackers have also been able to hit those companies’ clients with malicious software that locks them out of their machines unless they pay a ransom. The victims number in the hundreds, if not thousands, according to John Hammond, a senior security researcher at Huntress Labs, which is working with Kaseya to investigate the incident.

But the sprawl of the hack seems to be tripping up the hackers themselves. The initial ransom demands the hackers made of approximately $50,000 per victim didn’t appear to be working. By Sunday, the hackers announced they would accept a lump sum of $70 million from all the victims in order to get the businesses back up and running—the largest extortion demand that’s ever been made publicly. Hours later, though, when cybersecurity consultant Jack Cable reached out to the gang, the hackers changed their tune again, suggesting that a $50 million payment would suffice—and Cable hadn’t even asked for a price drop, he told The Daily Beast.

ADVERTISEMENT

“It could just be that…they’re in over their head there,” said Cable, a consultant at cybersecurity consulting firm Krebs Stamos Group. “It seems like this didn’t go exactly as planned.”

Charles Carmakal, who is investigating the ransomware attack, told The Daily Beast the hackers are likely starting to feel a bit frantic as the days wane on.

“They’re frustrated right now. They probably, from their perspective, thought, ‘holy shit, this is such an amazing, well-executed operation, we hit some number—hundreds, maybe a thousand-plus organizations—we should be making a serious payday.’ And I don’t think they’re seeing the payday,” said Carmakal, senior vice president and chief technology officer at FireEye’s Mandiant. “I think they’re super frustrated and I think they’re making mistakes in the process.”

Ransomware incidents have been on the rise in recent months, and the Russian-speaking hacking group behind the latest ransomware spree is the same one that the FBI said ground the meat supplier JBS to a halt earlier this year in another, separate incident. Americans trying to fuel up in May felt the impacts of another ransomware attack while they waited in long lines as a major supplier of fuel on the Eastern seaboard, Colonial Pipeline, worked to recover from another Russian ransomware incident.

In the fallout, President Joe Biden warned Russian President Vladimir Putin last month during a summit that critical infrastructure should be off limits to cybercriminals in Russia. It’s unclear if this conversation has had any impact on the hackers’ operations.

Even if victims had tried to pay in recent days, they would have been greeted with an error screen and blocked from paying: ‘Something wrong. Please try again in a few minutes.’

REVil, for its part, is tripping up. Even if victims had tried to pay in recent days, the newly-infected would have run into some roadblocks. On Monday, they would have been greeted with an error screen and blocked from paying. “Something wrong. Please try again in a few minutes.”

Whether that was intentional or a mistake, for hackers trying to swindle hundreds or thousands of companies, it sure is an odd move, says Cable, who also works at the Pentagon’s Defense Digital Service.

“There has been some indications that this attack has been sloppily carried out,” Cable said.

Allan Liska, an intelligence analyst at cybersecurity firm Recorded Future, says he suspects the hacking group, which operates with a number of affiliate hackers, is likely overwhelmed by the pure scope and scale of the Kaseya ransomware incident—by Kaseya’s estimates, between 800 and 1500 companies have been compromised.

“It overwhelmed REVil’s already-slow pipeline even further, making it that much more difficult for them to operate,” Liska told The Daily Beast. “And it got them a lot of unwanted attention from a lot of different governments.”

The Biden administration is talking with “high level” Russian officials about the consequences of allowing cybercriminals to continue to operate from within Russia’s borders, White House Press Secretary Jen Psaki noted during a press briefing Tuesday.

“We have undertaken expert level talks that are continuing,” Psaki said of the hack against Kaseya. “If the Russian government cannot or will not take action against criminal actors residing Russia we will take action, or reserve the right to take action, on our own.”

Psaki did not clarify what retaliatory actions the U.S. government might take, although Biden has previously said he would not rule out a cyberattack against the criminal hackers behind the Colonial Pipeline ransomware incident.

The White House has plans to host talks with Russian officials specifically focused on ransomware next week, according to Psaki. President Joe Biden told reporters Tuesday he would have more to say about the incident in the coming days.

For now, companies compromised in the Russian hackers’ latest rampage are still in a holding pattern waiting to come back online. A decryption key, which would help victims get up and running again, has not been tested yet as of Tuesday afternoon, Mandiant told The Daily Beast.

But in the coming days, the victim list may grow—while Kaseya suspects just 1,500 customers are languishing, that number may be conservative because it says nothing about Kaseya’s customers’ customers, Carmakal says. Especially as smaller businesses come back online after the July 4 holiday weekend, more companies may uncover that their systems are locked up—and some may even opt to pay, Carmakal warned. Carmakal added that he is not aware of any businesses that have chosen to pay, as of Tuesday afternoon.

But the work won’t end there. The chairman of the Dutch Institute for Vulnerability Disclosure (DIVD), a volunteer security group which found the vulnerability that allowed the Russian hackers in, told The Daily Beast he has concerns about whether the Russian hackers were monitoring his team’s communications with Kaseya. The volunteer group had found the vulnerability just before the hackers exploited it and were working with Kaseya to fix the issue behind the scenes so as to not draw hackers’ attention to it in a standard industry practice known as a coordinated vulnerability disclosure.

“I think at some time they decided, ‘let’s kick it off now because security researchers are about to get this thing fixed’…I don’t know. But that’s a theory…I have,” Victor Gevers, the chairman of DIVD told The Daily Beast, clarifying that he doesn’t know what happened for sure. “You don’t do this in just a day. This requires proper testing and research. The [question] then…is how long were they inside…did they see us coming?”

Carmakal confirmed Mandiant doesn’t know the answer to these questions yet, but said his team wants to investigate the theory that the Russians were monitoring company communications beforehand.

Although the hackers may be scrambling around for payment now, they still beat DIVD to the punch, and companies ought to take stock of their ransomware plans as more and more incidents take down companies’ operations for days, Gevers noted.

”When we were on call that Friday night until late, and actually early in the morning, it became clear that we did lose the race just by a few meters in the end,” Gevers said. “So that stinks a little bit because we like to prevent this. We don’t like to see organizations get hurt. In that way it felt like a failure.”

Got a tip? Send it to The Daily Beast here.