In private conversation, hackers behind ransomware outbreak lower demand to US$50m

The REvil ransomware gang, also known as Sodinokibi, is publicly demanding US$70 million to restore the data it is holding ransom. PHOTO: REUTERS
Updated
Jul 06, 2021, 12:59 PM
Published
Jul 06, 2021, 06:01 AM

WASHINGTON (REUTERS) - The hackers who have claimed responsibility for an international ransomware outbreak have lowered their asking price in a private conversation with a cybersecurity expert, something he said may be a sign the group was having trouble monetising their massive breach.

The REvil ransomware gang, also known as Sodinokibi, is publicly demanding US$70 million (S$94 million) to restore the data it is holding ransom after their data-scrambling software affected hundreds of small and medium businesses across a dozen countries - including schools in New Zealand and supermarkets in Sweden.

But in a conversation with Mr Jack Cable of the cybersecurity-focused Krebs Stamos Group, one of the gang's affiliates said he could sell a "universal decryptor" for all the victims for US$50 million.

Mr Cable said he managed to get through to the hackers after obtaining a cryptographic key needed to log on to the group's payment portal. Reuters was subsequently able to log on to the payment portal and chat with an operator who said the price was unchanged at US$70 million "but we are always ready to negotiate".

Because of REvil's affiliate structure, it is occasionally difficult to determine who speaks on the hackers' behalf, but Mr Cable said both conversations suggested that despite the headline US$70 million demand "they're definitely not attached to that number".

"It makes you wonder if they're having a hard time getting people to pay," he said.

Another expert said that the hackers, by encrypting so much data from so many businesses at once, may have bitten off more than they could chew.

"For all of their big talk on their blog, I think this got way out of hand," said Mr Allan Liska of cybersecurity firm Recorded Future.

The fallout of July 2 hack is still coming into focus. New Zealand said on Monday (July 5) that 11 schools and several kindergartens were affected by the ransomware attack.

Kindergarten Association Whanau Manaaki, which has more than 100 member kindergartens, said it had been impacted and had asked members to keep offline, Radio New Zealand reported.

Education Minister Chris Hipkins said the government was working to isolate any further risks.

In their conversation with Reuters, the hackers' representative described the disruption in New Zealand as an "accident". But they expressed no such regret about the disruption in Sweden, where hundreds of Coop supermarkets had to be closed because of the attack.

"Its nothing more than a business," the representative said when asked about the impact on grocery stores.

About a dozen different countries have been affected by the breach, according to research published by cybersecurity firm ESET.

On Sunday, the White House said it was reaching out to victims of the outbreak "to provide assistance based upon an assessment of national risk".

More On This Topic
Up to 1,500 businesses affected by ransomware attack, US firm's CEO says
No contact from Washington over latest ransomware attack, Kremlin says

Join ST's Telegram channel and get the latest breaking news delivered to you.

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top