Experts Doubt Kaseya Knows How Many Businesses Impacted by REvil Ransomware Attack

Cybersecurity experts say it's unlikely Kaseya knows the actual number of businesses affected by the Russia-linked REvil gang cyberattack on Friday, as many targets may only discover the damage upon returning to work Tuesday.

Jake Williams, chief technical officer of cybersecurity firm BreachQuest, said the numbers currently claimed are likely low due to Kaseya customers being managed service providers (MSPs).

"Given the relationship between Kaseya and MSPs, it's not clear how Kaseya would know the number of victims impacted. There is no way the numbers are as low as Kaseya is claiming though," Williams said.

Most of the more than 60 Kaseya customers that were informed via email that they were affected on Sunday are MSPs with multiple customers of their own.

A statement released by the White House says that anyone who believes they were compromised by the attack should immediately report it to the Internet Crime Complaint Center.

"The FBI and CISA will reach out to identified victims to provide assistance based upon an assessment of national risk," the statement read.

For more reporting from the Associated Press, see below.

Ransomware
Experts say they believe it's too early for Kaseya to be able to tell just how many customers were affected by the ransomware attack by Russia-linked group REvil on Friday. Getty Images

The company whose software was exploited in the biggest ransomware attack on record said Tuesday that so far it appears that fewer than 1,500 businesses were compromised. But cybersecurity experts suspected the estimate was low and noted that victims are still being identified.

Miami-based Kaseya said in a prepared statement that it believed only about 800 to 1,500 of the estimated 800,000 to 1,000,000 mostly small businesses — customers of companies that use its software to manage IT infrastructure - were affected by the attack.

The hacked Kaseya tool, VSA, remotely maintains customer networks, automating security and other software updates. Essentially, a tool designed to protect networks from malware was cleverly used to distribute it.

"It's too soon to tell, since this entire incident is still under investigation," said the cybersecurity firm Sophos, which has been tracking the incident closely. It and other cybersecurity outfits questioned whether Kaseya had visibility into crippled managed service providers.

In an interview with The Associated Press on Sunday, Kaseya CEO Fred Voccola estimated the number of victims in "the low thousands." The German news agency dpa reported earlier Sunday an unnamed German IT services company told authorities several thousand of its customers were compromised. Also among reported victims were two Dutch IT services companies.

A broad array of businesses and public agencies were hit by the latest attack, apparently on all continents, including in financial services, travel and leisure and the public sector — though few large companies, Sophos said.

Ransomware criminals infiltrate networks and sow malware that cripples them by scrambling all their data. Victims get a decoder key when they pay up. Most ransomware victims don't publicly report attacks or disclose if they've paid ransoms.

President Joe Biden said Saturday that he ordered a "deep dive" by U.S. intelligence into the attack and that the U.S. would respond if it determines the Kremlin is involved.

Coop closed sign
A sign that reads: "Coop Forum supermarket in Vastberga is closed due to IT disturbances, no prognosis as to when we will open again", on a closed Coop supermarket store in the suburb of Vastberga, Stockholm, Sweden, Saturday July 3, 2021. Cybersecurity teams worked feverishly Sunday July 4, 2021, to stem the impact of the single biggest global ransomware attack on record, with some details emerging about how the Russia-linked gang responsible breached the company whose software was the conduit. Jonas Ekstromer/TT via AP, File