The U.S. government today vowed to take action against Russia if the ransomware attack that targeted software from Kaseya Ltd. is proved to be linked to the country.

The ransomware attack, attributed to the REvil ransomware gang started on Friday ahead of the Independence Day long weekend. The first known victim was Coop, a chain of supermarkets in Switzerland that was forced to close operations at about 500 locations. The exact number of victims remains unclear, with Kaseya Chief Executive Officer Fred Voccola putting the number as between 800 and 1,500.

REvil targeted Kaseya VSA, cloud-based software used by managed service providers to automate software patch management and vulnerability management to ensure all systems are up to date. Although only a small number of MSP’s were affected by the attack, the uncertainty is due to how many customers of each MSP were subsequently affected.

Along with the Swiss supermarket chain, known victims now include a kindergarten group in New Zealand and several organizations in the U.K.

Whether the U.S. will actually do anything is open to speculation. White House Press Secretary Jen Psaki (pictured) claimed at a press conference today that the U.S. will take action but noted that it is not yet proven that the attack came from a ransomware group in Russia. REvil, which is a known Russian ransomware gang with a long history, is not only simply believed to be behind the attack, but the gang has publicly taken credit for it while also demanding a $70 million payment for a decryption key.

“We have undertaken expert-level talks that are continuing. We expect to have another meeting next week focused on ransomware attacks,” Psaki said. “As the President made clear to President Putin when they met, if the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own.”

That ransomware is not positive is a given, but companies clearly could do more to secure their software. As it turns out, Kaseya software has been targeted and exploited previously.

“This is not the first time Kaseya has been impacted by ransomware,” John Fokker, principal engineer and head of cyber investigations for McAfee Enterprise Advanced Threat Research, told SiliconANGLE. “The organization was hit in 2019 by GandCrab, a now-defunct ransomware-as-a-service operation that appeared to morph into REvil around mid-2019.”

Matt Sanders, director of security at security intelligence company LogRhythm Inc., noted that this is a major reminder that ransomware attacks are an increasing threat to companies, critical infrastructure organizations and government agencies at all levels.

“This attack is especially dangerous because Kaseya is used by many managed service providers that businesses trust to handle their IT functions such as endpoint inventory, patching and software deployment,” Sanders added. “With up to 1,500 possible businesses affected by the Kaseya ransomware attack, the impacts from the attack will be felt for months to come.”

Photo: White House/Flickr