Kaseya VSA ransomware attack: Hackers offer $99.7m to decrypt victims' computers

The hackers behind one of the largest ransomware attacks in history have offered to decrypt their victims' computers for US$70 million (NZ$99.7 million).

On Saturday, Miami-based software company Kaseya had its servers hacked which then spread through its 40,000 customers, many of which are large IT providers. These providers in turn offer services to hundreds of smaller businesses in almost every corner of the world.

The hackers claim they've infected more than one million systems and all were told to take their systems offline indefinitely.

Late on Monday, the hackers said for US$70 million, they would decrypt all their victims' computers.

The hack was so large not even New Zealand's Government cybersecurity agency CERT NZ knows yet just how many were hit here. CERT NZ's incident control manager Nadia Yousef says it will take days, if not weeks, to work out how widespread the issue is.

"Any organisation that's using Kaseya VSA tool is potentially going to be affected by this ransomware," she says.

She urges companies and organisations to have good backups stored securely offline from the network as it's the best way to get around and recover from a ransomware attack.

Cambridge's St Peter's School was one of those affected in the attack, and cybersecurity experts have been frantically working to unravel it. But the school says it's confident it's removed the threat and recovered all encrypted files.

It currently seems that most New Zealand businesses and schools caught up in the attack might have avoided the worst.

"The New Zealand schools which have been affected are unlucky - it's no fault of their own because the hack has come in through their IT provider," says IT security consultant Daniel Ayers.

"It's not their IT provider's fault either because it's a problem that exists in the Kaseya software."

It comes after ransomware attacks on the Waikato DHB and Reserve Bank, and Ayers warns it's only going to get worse.

"As best we know it appears to be a Russian cybercrime gang called REvil and they have been spreading ransomware around the world for some time now," he says.

It comes just weeks after US President Joe Biden warned Russian President Vladimir Putin that he would retaliate if the hackers continued. Biden also asked US intelligence agencies to investigate this latest attack.

"The initial thinking was it was not the Russian government, but we're not sure yet," he says.

The only thing that is assured is the best defence is having excellent backups stored offline.