
Illustration: Sarah Grillo/Axios
The July 4 weekend's Kaseya ransomware attack was huge — but while some experts and lawmakers are calling it "the biggest ever" or "largest ransomware attack in history," it's too soon to award that title.
Ranking these incidents is tricky, since the cybersecurity world has no single yardstick for measuring or comparing the size of attacks.
You can size up these attacks by:
- Number of victims, which might be individuals or companies and organizations of varying sizes;
- Estimated economic cost in lost data, lost network time and other disruptions;
- Or amount of ransom paid.
To gauge how "big" an attack is, Randy Watkins, CTO at Criticalstart, recommends looking at "multiple cross-sections between ransom amount, number of infected machines, number of infected organizations and the criticality of the organizations affected."
Yes, but: These numbers change as new information comes to light. Sometimes the public and even the affected companies never get a complete picture.
How it worked: Kaseya sells remote management tools to service providers who use it to manage companies' systems.
- The attackers, who have been widely identified as the Russia-connected REvil group, infected Kaseya's tools, which in turn transmitted malicious code to downstream companies, locking them out of their data and systems.
- On Tuesday, Kaseya said it believes the attack "directly compromised" "fewer than 60" of its service provider customers, and "fewer than 1500" companies who were those service providers' customers — ranging from small businesses to a Swedish supermarket chain with hundreds of stores.
REvil started by asking for a reported $45,000 in Bitcoin from each affected company. Then they demanded a lump-sum $70 million to provide one key that would free all the affected firms' systems. Then they lowered that demand to $50 million.
- The switch to a wholesale approach, some analysts suggested, showed that the attackers couldn't handle managing the sheer volume of individual cases.
What they're saying: "Ransom size, victim number, victim size, brand damage are increasing exponentially," said Danny Clayton, vice president of global services at Bitdefender.
- "Most ransomware attacks go unreported," he said, "so to help understand the magnitude of a cyber-event, look at the organizations taking notice" — in this case, President Biden, the FBI and the Cybersecurity and Infrastructure Security Agency.
The big picture: Kaseya is the latest in a flood of ransomware attacks that have plagued U.S. companies in recent weeks.
- Memorial Day weekend saw a ransomware attack, also believed to be by REvil, on global meat-processing giant JBS.
- Earlier in May, Colonial Pipeline was hit with a similar attack, but after the company paid a $4.4 million ransom in Bitcoin, government investigators were able to recover most of it.
Flashback: In 2017, the Wannacry ransomware attack, widely attributed to North Korea-based hackers, infected hundreds of thousands of computers running Microsoft Windows.
- NotPetya, fast-propagating malware deployed in 2017 by Russia against Ukraine, was dubbed "the most devastating cyberattack in history" by Wired. Based on a ransomware attack, it wrought havoc on target systems even when the victims paid the ransom.
One link connecting nearly all these incidents is Russia.
- As in the case of the non-ransomware Solarwinds breaches, Russia disclaims any responsibility for the current ransomware epidemic, but U.S. experts and leaders see the Kremlin's fingerprints in most of these exploits.
- The Kaseya attack has raised new calls for the Biden administration to get tough with Russia.