The REvil group has struck again, encrypting over one million systems and demanding a $70 million payment in Bitcoin to release the "universal decryptor" to unlock the encrypted files on every affected system.

Estimates put the total number of companies affected at around 200, some 40 of which were targeted through Kaseya, the managed service provider (MSP) thought to be at the center of this supply chain attack.

REvil Group Demands $70 Million Bitcoin Payment for Decryptor

Late on 2 July, 2021, reports of yet another major ransomware attack rippled across the internet. Around 30 MSPs were targeted, affecting hundreds of companies and, theoretically, millions of individual computers.

It quickly emerged that the notorious REvil crime syndicate was behind the ransomware attack, with the group demanding ransoms of up to $50,000 to unlock individual systems, with larger company-wide decryption keys offered for up to $5 million, with all payments taken in Bitcoin.

However, late on Sunday, 4 July, 2021, an update to the REvil dark website revealed that the criminal organization would deliver a universal decryption key to every affected business and organization—for the cool fee of $70 million.

REvil Hits 200 Businesses in Supply Chain Attack

According to a report seen by the BBC, around 200 US-based businesses have been hit with ransomware. The knock-on effect of the attack, however, has been much larger. Due to the nature of a supply chain attack, where the initial victim is often a stepping-stone to secondary victims, the REvil ransomware attack has multiple additional victims.

In Sweden, 500 Coop supermarkets were forced to close, along with 11 schools in New Zealand, and multiple other small incidents spread worldwide. According to Kaseya CEO Fred Voccola, the victims would mainly include "dental practices, architecture firms, plastic surgery centers, libraries, things like that."

It is thought that there are more victims, many of which are yet to report or disclose the ransomware breach or whether they have attempted to pay the ransom.

Related: What Is Code-Signed Malware and How Do You Avoid It?

Dutch Security Researchers Reported Kaseya Zero-Day Vulnerability

In a final blow, security researchers from the Dutch Institute for Vulnerability Disclosure revealed that they contacted Kaseya previously regarding several zero-day vulnerabilities (tracked under CVE-2021-30116) under responsible disclosure guidelines.

The researchers worked with Kayesa, "giving our input on what happened and helping them cope with it. This included giving them lists of IP addresses and customer IDs of customers that had not responded yet, which they promptly contacted by phone."

But the biggest takeaway is that Kayesa knew about the dangerous vulnerability before the REvil ransomware hit, which could become a major issue in the post-mortem process for the many companies affected.