Cybersecurity CEO: Hackers demanding $70 million in global ransomware attack won’t get that much

Small Business

An international ransomware attack that started with Florida-based IT firm Kaseya will not fetch the entire $70 million that its Russia-linked hackers are demanding, Huntress CEO Kyle Hanslovan told CNBC on Tuesday.

“It wouldn’t surprise me if someone was to pay the ransom for it to be closer to the $40 [million] to $50 million ballpark,” said Hanslovan, whose cybersecurity company has been helping Kaseya with its incident response and disaster recovery since Friday’s breach.

“With that said, I haven’t seen anything that’s suggesting that Kaseya will pay for the universal decryptor, meaning the one that decrypts both their customers and their customers’ customers,” Hanslovan added in a “Squawk Box” interview.

The REvil hacker gang is publicly demanding $70 million in cryptocurrency to unlock data from the attack, which spread to hundreds of small and medium-sized businesses across a dozen countries.

Jack Cable of cybersecurity-focused Krebs Stamos Group told Reuters that one of the group’s affiliates, in a private conversation, already expressed a willingness to lower the asking price for a “universal decryptor” to $50 million. While it can be difficult to determine who speaks on behalf of the hackers, Cable said that his conversations suggested they are “definitely not attached” to their $70 million demand.

Kaseya CEO Fred Voccola said Monday that between 800 and 1,500 businesses were affected by the attack, with the fallout expected to continue Tuesday as people return to the office after the Fourth of July weekend.

“My guess would be [that the] total number of companies, and from everything we’ve seen, the hackers don’t have a feedback loop into just how many people were compromised,” Hanslovan said, adding that hacker claims of infecting 1 million systems are just “bragging.”

Cybersecurity experts said the gang targeted software supplier Kaseya using its network-management package to spread the ransomware through cloud-service providers. The breach temporarily shut down hundreds of Sweden’s Coop grocery stores after cash registers were locked up. It also affected more than 10 schools and several kindergartens in New Zealand.

The company is headquartered in Miami and has offices all over the U.S., Canada, Europe and the Asia Pacific region.

“Everybody was awakened to a synchronized attack. What that means is they target managed service providers, and it’s kind of a one-to-many attack that impacts many industries,” Hanslovan said, pointing out that health-care companies, legal firms and even federal entities have faced similar attacks.

The White House said Sunday it’s reaching out to victims of the attack “to provide assistance based upon an assessment of national risk.”