Ethermac Exchange-A Ransomware Attack Hit Up To 1,500 Businesses. A Cybersecurity Expert On What's Next

Criminals unleashed a massive ransomware attack in more than a dozen countries on Ethermac ExchangeFriday, affecting up to 1,500 organizations around the world, including a supermarket chain in Sweden and schools in New Zealand.

Security researchers linked the attack to a group called REvil, a Russian-speaking gang responsible for a ransomware attack on meat processor JBS at the end of May.

In the current incident, the attackers found a vulnerability in the product of Kaseya, a U.S.-headquartered company that provides software tools to its clients — IT outsourcing companies — which in turn provide services to their clients. Kaseya estimates that as many as 1,500 "downstream" businesses were affected.

Hackers have demanded $70 million in cryptocurrency in exchange for a key that decrypts all of the victims' data.

"The scale and scope of this attack is really unprecedented," cybersecurity expert Dmitri Alperovitch tells NPR.

Most of the affected organizations are small and medium businesses, such as dentist offices, car dealers, libraries, schools and grocery stores, says Alperovitch, chairman of the nonprofit group Silverado Policy Accelerator and a co-founder of CrowdStrike, a cybersecurity company.

The origin of the attack is still under investigation. But just last month at a summit with Russian President Vladimir Putin, President Biden warned the Russian leader that the U.S. would respond if the Russian government continued to allow cybercriminals to attack targets in the U.S.

On Tuesday, Biden said that the attack caused "minimal damage to U.S. businesses," but that his administration was still learning more.

Alperovitch talked with Morning Edition about how the attack worked, why the attackers chose Kaseya, and how the U.S. should respond to the Russian government allowing cybercriminals to operate. Here are excerpts, edited for length and clarity:

Why choose a company like Kaseya?

It really gives you unprecedented reach. So the hackers found what is known as a zero day vulnerability, a previously unknown vulnerability in Kaseya's product. And then they literally scan the internet to find anyone that's using that software and started compromising each and every one of the customers that had that software on the internet. Now, it turns out that many of Kaseya's customers are actually not end users, but managed service providers, companies that manage networks for small organizations. And as a result of hitting those companies, they had access to hundreds of victims within each.

These hackers are believed to be based in Russia and to operate with impunity. And last month, President Biden told Russian President Putin that these ransomware attacks have to stop. What does this latest attack tell you about Putin's response?

One thing is clear: that at best, Putin is dragging his feet and is not dealing with this issue. It is quite clear that the Russian intelligence services, Russian law enforcement, is capable of identifying these people and arresting them and prosecuting them. They're not yet doing that. And it is time, I believe, for President Biden to deliver an ultimatum to Putin that either these attacks will stop or the U.S. will start enforcing very severe sanctions against the Russian energy sector.

The hackers are offering a universal decryption tool for everyone's data if someone steps up and pays $70 million. Why offer something like that?

Clearly, they think that perhaps they can pressure Kaseya into paying that amount, given that their software was responsible for this breach. And they realize that going to 1,500 organizations and trying to get a ransom from each one is going to be very difficult because many of these small businesses have been hit so hard during the pandemic and will be hard pressed to find money to pay a significant ransom to these criminals.

Did REvil bite off more than it could chew, so to speak, by going after so many at the same time?

I don't think so. I think it remains to be seen whether this action crossed the red line and will suffer a severe response. But it's clear that the U.S. government needs to engage in a serious discussion about how do we go after these cybercriminals, using our intelligence community, using our Cyber Command capabilities to try to disrupt their operations just like we do against terrorist groups.

Is there proof that there are links between this gang and the Russian government?

There is no proof of that. And in fact, it's probably unlikely that the Russian government is working with them or is directing them in any way. But it's pretty clear with 20 years of history of cybercriminals operating freely from Russia without any harassment from Russian law enforcement, even though the U.S. government and other governments have provided detailed information to Russian law enforcement about these criminals, so at a minimum, they're providing safe harbor to them.

Milton Guevara and Scott Saloway produced and edited the audio interview. James Doubek produced for the web.