BOSTON — The largest ransomware attack to date continued to hit Monday as more top points emerged about how a Russian-linked gang penetrated the exploited software company. scale.

Thousands of organizations, many of them corporations that remotely manage each other’s IT infrastructure, went on in at least 17 countries with Friday’s assault. Kaseya, whose product has been exploited, said Monday that they have several who have just returned to work.

Because the attack on the infamous REvil gang occurred right at the start of a long weekend on July 4, many more affected were expected to be informed of their fate when they returned to the workplace on Tuesday.

► Save better, spend better: Tips and recommendations about cash in your inbox. Register here

REvil is most productively known for extorting $11 million from the JBS meat processor last month. Security researchers have stated that their ability to evade anti-malware protections in this attack and their obvious exploitation of an unknown previous vulnerability on Kaseya’s servers reflect the developing monetary strength of REvil and a few dozen other ransomware gangs whose good luck is helping them get the most productive virtual burglary assets. These criminals infiltrate the networks and paralyze them through blurred data, extorting money from their victims.

REvil was looking for $5 million in invoices from so-called controlled service providers, which were its main subsequent targets in this attack, far from it, just $45,000, from its bereavementing customers.

But on Sunday night, he proposed on his obscure online page to create a universal decryptor that would decrypt all affected machines if paid $70 million in cryptocurrencies. Some researchers saw the offer as an exposure gimmick, while others suggested that criminals had more victims than they can handle.

► Chicken recall in 2021: Walmart, Publix, Wegmans among the outlets selling Tyson bird products recalled due to imaginable listeriosis risk

► Ransomware, explained: How do gangs that shut down Colonial Pipeline, JBS USA work?

Sweden is the hardest blow, or at least the most transparent about the damage. His defense minister, Peter Hultqvist, lamented in a television interview “the fragility of the formula in terms of PC security. “The supermarket chain Coop closed for a third day, its monetary records were paralyzed. A Swedish pharmacy chain, a service station chain, the public railway and the public broadcaster SVT were also affected.

A wide variety of companies and public agencies have been affected, adding money and travel, but few giant corporations have been affected, cybersecurity company Sophos said. United Kingdom, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand and Kenya. they are among the countries affected, according to the researchers.

On Sunday, the U. S. deputy national security adviser was 222. U. S. , Anne Neuberger, suggested all victims alert the FBI. A day earlier, the FBI had stated in an alert that the scale of the attack “may mean that we may not respond to everyone. victim individually”.

The vast majority of ransomware sufferers hate to admit it publicly, and many avoid reporting attacks to law enforcement or revealing whether they are paying ransoms unless required by law.

President Joe Biden said Saturday that he had ordered a “deep dive” through U. S. intelligence into the attack and that the U. S. would react if we decided the Kremlin was involved. In September of last month, Biden tried to pressure Russian President Vladimir. Putin to end safe haven for REvil and other ransomware gangs operating with impunity in Russia and allied states as long as they avoid national targets. Extortion attacks through industry unions have worsened over the next year.

On Monday, Putin’s spokesman, Dmitry Peskov, was questioned about whether Russia was aware of the attack or whether it had proven it and said he has not yet warned that this could only be discussed consultations between the United States and Russia on cybersecurity issues. set up for such consultations, and few analysts expect the Kremlin to suppress a crime wave that benefits Putin’s strategic goals of destabilizing the West.

Kaseya said Monday that fewer than 70 of its 37,000 consumers were affected, the most being controlled service providers with multiple subsequent consumers. Most controlled service providers probably knew by Monday at the latest if they were affected, but that likely wouldn’t be true for as many of the small and medium-sized businesses they serve, said Ross McKerchar, head of data security at Sophos. PSMs fly indiscriminately because the same software tool they use to monitor visitor networks has been taken out of service due to the attack.

Kaseya’s pirated tool, VSA, helps maintain customers’ networks remotely, automating security and other software updates.

In a report released Monday about the attack, Sophos said a VSA server had been breached with the obvious use of a “zero-day,” the trade term for a software security breach unknown in the past. help attackers by asking consumers not to check their “box” logs on the site for malware. Within those folders, the REvil code can simply work undetected to disable the malware and ransomware reporting team of Microsoft’s Defender program.

Sophos stated that REvil made no attempt to borrow knowledge in this attack. Ransomware gangs do this regularly before activating the ransomware so that they can threaten to launch it online unless they are paid. This attack was simple, only blurring knowledge.

In an interview on Sunday, Kaseya CEO Fred Voccola did not verify the use of a zero-day or give the main points about the breach, to say it wasn’t phishing and that he was convinced that when an investigation was completed through the cybersecurity company. , would show that not only Kaseya, but also third-party software was breached through the attackers.

___

Associated Press Jim Heintz in Moscow and Jan Olsen in Stockholm contributed to the report.