Jul 7, 2021 - Technology

The ransomware-attack leaderboard

Illustration of a mouse in a bear trap

Illustration: Sarah Grillo/Axios

The July 4 weekend's Kaseya ransomware attack was huge — but while some experts and lawmakers are calling it "the biggest ever" or "largest ransomware attack in history," it's too soon to award that title.

Ranking these incidents is tricky, since the cybersecurity world has no single yardstick for measuring or comparing the size of attacks.

You can size up these attacks by:

  • Number of victims, which might be individuals or companies and organizations of varying sizes;
  • Estimated economic cost in lost data, lost network time and other disruptions;
  • Or amount of ransom paid.

To gauge how "big" an attack is, Randy Watkins, CTO at Criticalstart, recommends looking at "multiple cross-sections between ransom amount, number of infected machines, number of infected organizations and the criticality of the organizations affected."

Yes, but: These numbers change as new information comes to light. Sometimes the public and even the affected companies never get a complete picture.

How it worked: Kaseya sells remote management tools to service providers who use it to manage companies' systems.

  • The attackers, who have been widely identified as the Russia-connected REvil group, infected Kaseya's tools, which in turn transmitted malicious code to downstream companies, locking them out of their data and systems.
  • On Tuesday, Kaseya said it believes the attack "directly compromised" "fewer than 60" of its service provider customers, and "fewer than 1500" companies who were those service providers' customers — ranging from small businesses to a Swedish supermarket chain with hundreds of stores.

REvil started by asking for a reported $45,000 in Bitcoin from each affected company. Then they demanded a lump-sum $70 million to provide one key that would free all the affected firms' systems. Then they lowered that demand to $50 million.

  • The switch to a wholesale approach, some analysts suggested, showed that the attackers couldn't handle managing the sheer volume of individual cases.

What they're saying: "Ransom size, victim number, victim size, brand damage are increasing exponentially," said Danny Clayton, vice president of global services at Bitdefender.

  • "Most ransomware attacks go unreported," he said, "so to help understand the magnitude of a cyber-event, look at the organizations taking notice" — in this case, President Biden, the FBI and the Cybersecurity and Infrastructure Security Agency.

The big picture: Kaseya is the latest in a flood of ransomware attacks that have plagued U.S. companies in recent weeks.

Flashback: In 2017, the Wannacry ransomware attack, widely attributed to North Korea-based hackers, infected hundreds of thousands of computers running Microsoft Windows.

One link connecting nearly all these incidents is Russia.

  • As in the case of the non-ransomware Solarwinds breaches, Russia disclaims any responsibility for the current ransomware epidemic, but U.S. experts and leaders see the Kremlin's fingerprints in most of these exploits.
  • The Kaseya attack has raised new calls for the Biden administration to get tough with Russia.
Go deeper