Ransomware group REvil conducts 15 cyberattacks per week over 2 months, research shows

Between 800 and 1,500 of the small businesses Kaseya's customers manage were compromised

REvil, a ransomware group linked to Russian hackers, has conducted 15 cyberattacks per week over two months, according to new research.

The group has made headlines in recent days after conducting the single biggest ransomware attack yet, targeting thousands of companies in at least 17 countries including Miami-based tech company Kaseya on Friday.

REvil, which targeted Brazilian meat-processing company JBS in June, demanded a $70 million ransom in cryptocurrency on the dark web in exchange for a universal decryptor that would unscramble all affected machines.


"This cyber attack is one of the biggest we’ve ever seen," Ekram Ahmed, spokesperson for cybersecurity firm Check Point Research (CPR), said in a statement. "What’s alarming here is the combination of a supply chain and ransomware attack, usually you see one or the other. A supply chain attack that targets [managed service providers] MSPs, combined with crippling ransomware, has potentially exponential and untenable consequences."

The threat group has conducted an estimated 15 cyberattacks per week over the last two months, targeting firms in the U.S., Germany, Brazil and India most often, researchers at CPR found.

President Biden, speaking Tuesday, downplayed damage from the attacks. 

"It appears to have caused minimal damage to U.S. businesses, but we're still gathering information to the full extent of the attack. And I'm going to have more to say about this in the next several days. We're getting more detailed information. That's what I can tell you now" he said. 

Ransomware attacks have increased 93% over the last 12 months, and threat actors often wait for holidays to strike because targets are more off guard, CPR found.


Preparation for ransomware attacks can span from days to months before threat actors make their demands so that they can covertly familiarize themselves with a firm's systems before executing the attack, according to researchers.

Between 800 and 1,500 of the small businesses Kaseya's customers manage were compromised, the IT firm said in a Monday update, though it also noted that the attack was not a critical threat to its critical infrastructure.

"Our global teams are working around the clock to get our customers back up and running," Kaseya CEO Fred Voccola said in a Monday statement. "We understand that every second they are shut down, it impacts their livelihood, which is why we’re working feverishly to get this resolved."

The company has received support from the FBI, CISA and White House, it said in the update.


Any business that runs Kaseya VSA should follow its vendor's advice and unplug it from the network; use EDR, NDR and other security tools to verify file legitimacy since the attack; confirm with security vendors that REvil ransomware protections have been implemented; and call experts if additional help is needed, according to CPR.

"Both the timing of the Kaseya attack and the choice of victim played roles in the far-reaching outcome; the lack of preparation and awareness by Kaseya allowed the attack to spread to dozens of smaller businesses and organizations," Richard Blech, founder of cyberinfrastructure company XSOC Corp. said in a statement to FOX Business.

Blech added that "for every brand directly impacted, there may be dozens or even hundreds more that indirectly rely on Kaseya services."

The Associated Press contributed to this report.