The ransomware operation known as REvil has now fixed the price it wants to be paid for the decryption of all enterprise systems that were locked in the recent Kaseya supply chain assault.

The ransomware outfit has requested a massive $70m (£50.85m) payment to be made in hard-to-trace Bitcoin in return for the dedicated tool that enables all impacted companies to recover their data files.

The malicious attack was initially spread via the Kaseya VSA cloud-based solution utilised by managed service providers (MSPs) for managing security patches and monitoring customer systems.

Clients of numerous MSPs have now been affected by the insidious attack, with REvil ransomware successfully encrypting the networks of approximately 1,000 enterprises and organisations across the globe.

Record-breaking ransom requests from REvil

A recent post on the REvil ransomware gang’s built-for-purpose leak site saw the gang boast that it has locked over a million systems but was willing to open negotiations with impacted enterprises for the receipt of a universal decryptor, with a starting price of $70m.

The ransom request aimed at the Kaseya supply-chain attack victims is now the largest recorded ransom demand. Prior to the recent demand, the highest amount requested was a $50m ransom that also originated from the ambitious REvil gang when it turned its extortion tactics against the Taiwan-headquartered computer and electronics manufacturer Acer.

Previously, the ransomware gang had asked the MSPs for $5m in return for the decryption solution, along with a $44,999 ransom from its affected customers.

However, the group employed multiple extensions when it encrypted the files, and the price of $44,999 was requested to pay for unlocking files with an identical extension.

Executing a ransomware attack

The REvil ransomware group was able to action this extensive and exceptionally damaging attack through exploitation of a zero-day vulnerability it identified within the Kaseya VSA server. The weakness had been privately reported and was actually in the process of being resolved when the threat operators struck.

Researchers based at the Dutch Institute for Vulnerability Disclosure (DIVD) had reported the weakness and Kaseya had even created a new security patch that was going through the validation stage before being delivered to its customers.

Chair for DIVD, Victor Gevers, commented:

“During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched.”

Although how it became aware of the bug remains unknown, the REvil group used its knowledge to exploit the vulnerability before the patch could be rolled out to Kaseya’s customers.

The extent of this recent ransomware attack by REvil also remains unclear at present, however the scale of the incident has attracted attention among law enforcement agencies and the US government.

President Biden himself has addressed the supply-chain-style attack and directed US intelligence agencies to examine the hack that impacted hundreds of American enterprises. The FBI has since confirmed that it is working alongside the CIA to investigate.