IE 11 is not supported. For an optimal experience visit our site on another browser.

Hackers behind holiday crime spree demand $70 million, say they locked 1 million devices

Cybersecurity experts say the scale of the attack is unprecedented for criminal hackers.

The hacker gang behind an international crime spree that played out over the Fourth of July weekend says it has locked more than a million individual devices and is demanding $70 million in bitcoin to set them all free in one swoop.

The gang, the Russia-connected REvil, is best known for previously having hacked JBS, one of the world's largest meat suppliers, briefly halting its operations across much of North America. But this attack's potential scope is unprecedented, some cybersecurity experts said.

REvil began its spree Friday by compromising Kaseya, a software company that helps companies manage basic software updates. Because many of Kaseya's customers are companies that manage internet services for other businesses, the number of victims grew quickly. Instead of locking an individual organization, as ransomware gangs usually do, REvil locked each victim computer as a standalone target and initially asked for $45,000 to unlock each one.

President Joe Biden told reporters Sunday that he has "directed the full resources" of the government toward investigating the problem.

A shuttered Coop supermarket store in Stockholm on Saturday during a cyberattack against organizations around the world. Ali Lorestani / AFP - Getty Images

The Swedish grocery chain Coop is the largest known victim; it closed most of its about 800 stores all day Saturday. Its registers were controlled online by Visma Esscom, a Kaseya customer, and locked up and rendered unusable.

Exactly how many systems have been infected is unknown, although the number is likely to be sizable. The cybersecurity firm Huntress, which is helping Kaseya's response, said it was aware of more than 1,000 businesses that had been affected.

REvil's claim that it has compromised more than a million devices is impossible to prove, because few victims are speaking publicly and no government or company has a database of everyone who was hit. But that number is plausible, said Mikko Hypponen, a researcher at the cybersecurity company F-Secure, given that this strain of ransomware infects each device individually.

"Think about a retail chain, like grocery retail," Hypponen⁩ said. "Every single cashier system is an endpoint. Every laptop. Everybody in the sales has a system, multiple servers. Two hundred stores, 300 stores, they alone would have thousands of endpoints. And if a thousand Coop-like companies were infected, yes, you would have a million endpoints."

Regardless of the actual number of victims, it's extremely difficult to imagine victims banding together to jointly pay $70 million, said Allan Liska, an analyst at the cybersecurity firm Recorded Future. 

"Despite the braggadocio in their note, I actually think it is actually a sign they are overwhelmed," Liska said.

A million victims that each paid $45,000 would yield $45 billion, he noted.

"They are lowballing themselves at $70 million," he said.