In private conversation, hackers behind ransomware outbreak lower demand to $50 mln

by Reuters
Monday, 5 July 2021 19:56 GMT

(Recasts, adds interview with the hackers; further expert comment)

By Raphael Satter

WASHINGTON, July 5 (Reuters) - The hackers who have claimed responsibility for an international ransomware outbreak have lowered their asking price in a private conversation with a cybersecurity expert, something he said may be a sign the group was having trouble monetizing their massive breach.

The REvil ransomware gang, also known as Sodinokibi, is publicly demanding $70 million to restore the data it's holding ransom after their data-scrambling software affected hundreds of small and medium businesses across a dozen countries - including schools in New Zealand and supermarkets in Sweden.

But in a conversation with Jack Cable of the cybersecurity-focused Krebs Stamos Group, one of the gang's affiliates said he could sell a "universal decryptor" for all the victims for $50 million.

Cable told Reuters he managed to get through to the hackers after obtaining a cryptographic key needed to log on to the group's payment portal. Reuters was subsequently able to log on to the payment portal and chat with an operator who said the price was unchanged at $70 million "but we are always ready to negotiate."

Because of REvil's affiliate structure, it is occasionally difficult to determine who speaks on the hackers' behalf, but Cable said both conversations suggested that despite the headline $70 million demand "they're definitely not attached to that number."

"It makes you wonder if they're having a hard time getting people to pay," he said.

Another expert said that the hackers, by encrypting so much data from so many businesses at once, may have bitten off more than they could chew.

"For all of their big talk on their blog, I think this got way out of hand," said Allan Liska of cybersecurity firm Recorded Future.

The fallout of July 2 hack is still coming into focus. New Zealand said on Monday that 11 schools and several kindergartens were affected by the ransomware attack.

Kindergarten Association Whānau Manaaki, which has more than 100 member kindergartens, said it had been impacted and had asked members to keep offline, Radio New Zealand reported. Education Minister Chris Hipkins said the government was working to isolate any further risks.

In their conversation with Reuters, the hackers' representative described the disruption in New Zealand as an "accident."

But they expressed no such regret about the disruption in Sweden, where hundreds of Coop supermarkets had to be closed because of the attack.

"Its nothing more than a business," the representative said when asked about the impact on grocery stores.

About a dozen different countries have been affected by the breach, according to research published https://www.welivesecurity.com/2021/07/03/kaseya-supply-chain-attack-what-we-know-so-far by cybersecurity firm ESET.

On Sunday, the White House said it was reaching out to victims of the outbreak "to provide assistance based upon an assessment of national risk." (Reporting by Raphael Satter; Additional reporting by Praveen Menon in Wellington, New Zealand. Editing by Kim Coghill, Robert Birsel, William Maclean)

Our Standards: The Thomson Reuters Trust Principles.