REvil Ransomware Hits 200 Companies In MSP Supply-Chain Attack
A massive REvil ransomware attack affects multiple managed service providers and their clients through a reported Kaseya supply-chain attack. REvil Ransomware Hits 200 Companies In MSP Supply-Chain Attack
Starting this afternoon, the REvil ransomware gang, aka Sodinokibi, targeted MSPs with thousands of customers, through what appears to be a Kaseya VSA supply-chain attack.
At this time, there eight known large MSPs that have been hit as part of this supply-chain attack.
Huntress Labs’ John Hammond has told BleepingComputer that all of the affected MSPs are using Kaseya VSA and that they have proof that their customers are being encrypted as well.
“We have 3 Huntress partners that are impacted with roughly 200 businesses encrypted,” Hammond told BleepingComputer.
Kaseya issued a security advisory on their help desk site, warning all VSA customers to immediately shut down their VSA server to prevent the attack’s spread while investigating.
“We are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only as of 2:00 PM EDT today.
We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us.
Its critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA.”
In a statement to BleepingComputer, Kaseya stated that they have shut down their SaaS servers and are working with other security firms to investigate the incident.
Most large-scale ransomware attacks are conducted late at night over the weekend when there is less staff to monitor the network.
As this attack happened midday on a Friday, the threat actors likely planned the time to coincide with the July 4th weekend in the USA, where it is common for staff to have a shorter workday before the holidays.
REvil Attack Spread Through Auto-Update
BleepingComputer has been told by both Huntress’ John Hammond and Sophos’ Mark Loman that the attacks on MSPs appear to be a supply chain attack through Kaseya VSA.
According to Hammond, Kaseya VSA will drop an agent.crt file to the c:\kworking folder, which is being distributed as an update called ‘Kaseya VSA Agent Hot-fix.’
A PowerShell command is then launched to decode the agent.crt file using the legitimate Windows certutil.exe command and extract an agent.exe file to the same folder.
The MsMPEng.exe is an older version of the legitimate Microsoft Defender executable used as a LOLBin to launch the DLL and encrypt the device through a trusted executable.
Some of the samples add politically charged Windows Registry keys and configurations changes to infected computers.
For example, a sample [VirusTotal] installed by BleepingComputer adds the HKLM\SOFTWARE\Wow6432Node\BlackLivesMatter key to store configuration information from the attack.
Advanced Intel’s Vitali Kremez told BleepingComputer that another sample configures the device to launch REvil Safe Mode with a default password of ‘DTrump4ever.’
Huntress continues to provide more info about the attack in a Reddit thread.
In a statement to BleepingComputer late Friday night, Kaseya said they found the vulnerability that was used during the attack and that a patch will be released as soon as possibly.
“While Our Investigation Is Ongoing, To Date We Believe That:
Our SaaS customers were never at-risk. We expect to restore service to those customers once we have confirmed that they are not at risk, which we expect will be within the next 24 hours;
Only a very small percentage of our customers were affected – currently estimated at fewer than 40 worldwide.
We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for our on-premises customers that will be tested thoroughly. We will release that patch as quickly as possible to get our customers back up and running.” – Kaseya.
BleepingComputer has sent followup questions regarding the vulnerability but has not heard back at this time.
Ransomware Gang Demands A $5 Million Ransom
A sample of the REvil ransomware used in one of these attacks has been shared with BleepingComputer. However, it is unknown if this is the sample used for every victim or if each MSP received its own ransom demand.
The ransomware gang is demanding a $5,000,000 ransom to receive a decryptor from one of the samples.
While REvil is known to steal data before deploying the ransomware and encrypting devices, it is unknown if the attackers exfiltrated any files.
MSPs are a high-value target for ransomware gangs as they offer an easy channel to infecting many companies through a single breach, yet the attacks require intimate knowledge about MSPs and the software they use.
REvil has an affiliate well versed in the technology used by MSPs as they have a long history of targeting these companies and the software commonly used by them.
In June 2019, an REvil affiliate targeted MSPs via Remote Desktop and then used their management software to push ransomware installers to all of the endpoints that they manage.
This affiliate is believed to have previously worked with GandCrab, who also successfully conducted attacks against MSPs in January 2019.
Ransomware Group’s Attack Likely Hits Thousands of New Targets
REvil is said to have focused on Kaseya VSA, a software used by large companies and technology-service providers to manage and distribute updates.
The ransomware group that collected an $11 million payment from meat producer JBS SA about a month ago has begun a widespread attack that has likely infected hundreds of organizations world-wide and tens of thousands of computers, according to cybersecurity experts.
The group, known as REvil, has focused its attack on Kaseya VSA, software used by large companies and technology-service providers to manage and distribute software updates to systems on computer networks, according to security researchers and VSA’s maker, Kaseya Ltd.
REvil is a well-known purveyor of ransomware—malicious software that locks up a victim’s computer until a digital ransom is paid, typically in the form of bitcoin. This latest attack appears to be its largest ever. The incident may have infected as many as 40,000 computers world-wide, according to cybersecurity experts.
The use of trusted partners like software makers or service providers to identify and compromise new victims, often called a supply-chain attack, is unusual in cases of ransomware, in which hackers shut down the systems of institutions and demand payment to allow them to regain control.
The Kaseya incident appears to be the largest and most significant such attack to date, said Brett Callow, a threat analyst for cybersecurity company Emsisoft.
Among those affected was a supermarket chain in Sweden. The company said that in some cases its cash registers were hit in the attack, prompting many of its stores to remain shut Saturday.
Upon learning of the attack Friday, Kaseya immediately shut down its servers and began warning customers, the company said.
Friday evening it said only customers running the software on their own servers, rather than users of Kaseya’s online service, appeared to have been affected.
In an update Saturday morning, the company recommended that users of its software keep those products offline until further notice. The company also is keeping its own cloud-based services offline until it determines that it can safely restart them, Kaseya said.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency advised Kaseya users to shut down their VSA servers immediately. “CISA is closely monitoring this situation and we are working with the FBI to gather information about its impact,” said Eric Goldstein, the agency’s executive assistant director for cybersecurity.
Kaseya says that fewer than 40 of its more than 36,000 customers were affected by the incident. However, more than 30 of these customers were service providers, a company spokeswoman said Saturday. Those providers, in turn, have many more customers that could have potentially been hit.
Most of the customers of these providers are small and midsize organizations, said Kyle Hanslovan, chief executive of the security firm Huntress.
While the cause of the attack is still being investigated, it is “very likely there is some vulnerability or a flaw that is being mass-exploited in VSA,” Mr. Hanslovan said.
Ransomware groups, including REvil, have targeted service providers in the past, including with a 2019 attack that hit at least 22 municipalities in Texas, said Emsisoft’s Mr. Callow.
“I’ve never seen a ransomware attack impact so many companies at one time,” said Al Saikali, a partner at law firm Shook, Hardy & Bacon LLP, which was brought in to consult on six ransomware attacks related to the VSA incident Friday.
On his busiest previous day, he said, he had signed up two clients. Ransom demands in the six attacks ranged from $25,000 to $150,000, he said.
For service providers themselves, the demands are higher—in one case, $5 million, Mr. Hanslovan said.
Ransomware has emerged as one of the country’s most serious security problems in recent years, as hackers have targeted businesses, hospitals, schools and other institutions. Attackers have grown bolder as millions of people began using less-secure home internet connections for work and school during pandemic lockdowns.
The ransomware phenomenon shot into the spotlight in May when an attack forced Colonial Pipeline Co., a major shipper of gasoline to the U.S. East Coast, to shut down a pipeline, drying up supplies at gas stations across the Southeast.
Intelligence officials have linked this attack and others to Russia, a charge officials there denied.
President Biden, traveling in Michigan, told reporters he had been briefed on the attack and that U.S. officials were trying to determine the extent of the Russian government’s involvement.
“First of all we’re not sure who it is for certain,” Mr. Biden said when asked about the attack. “The initial thinking was it was not the Russian government. But we’re not sure yet.”
He added that he has warned Russian President Vladimir Putin that the U.S. would respond to Russian government-sponsored cyberattacks. At a recent summit with Mr. Putin, the president addressed cybersecurity and said critical infrastructure should be off-limits to attacks.
About a month ago, a REvil attack temporarily knocked out plants that process one-fifth of the U.S. meat supply. JBS’s U.S. unit paid $11 million in ransom to the attackers, according to a company executive.
Ransomware Hackers Demand $70 Million To Unlock Computers In Widespread Attack
Kaseya CEO tells White House there is no evidence that critical infrastructure was impacted by attack on some of his company’s customers.
The boss of the company at the heart of a widespread hack that has affected hundreds of businesses said he briefed the White House and that attackers are demanding a single $70 million ransomware payment.
The cyberattack that started to unfold Friday is estimated to have hit hundreds of mostly small and medium-size businesses and tens of thousands of computers. It quickly set off alarms in U.S. national security circles over concern that it could have far-reaching effects.
On Monday, Fred Voccola, the chief executive of Kaseya Ltd., whose software was targeted in the attack, spoke with Deputy National Security Advisor Anne Neuberger about the event while the company was still scrambling to restore services to its customers, Mr. Voccola said. Mr. Voccola told the White House that Kaseya wasn’t aware of any critical infrastructure that had been hit by the ransomware or of any victims related to national security, he said in an interview Monday.
A White House spokeswoman didn’t immediately comment.
The hackers behind the ransomware attack said that, upon payment, they will release a “universal decryptor” that would unlock computers that had been encrypted and rendered unusable by the attack, according to a note posted to the group’s website Sunday. Mr. Voccola declined to discuss the payment issue.
The ransomware incident has raised concerns because Kaseya’s VSA software is used by many technology companies to provide computer management services, potentially providing a gateway to other victims. The attack locked up computers at schools in New Zealand and locked up cash registers at Coop, a Swedish grocery store chain that was forced to shut some outlets.
Mr. Voccola said that corporate systems at Kaseya hadn’t been compromised during the attack, but that the company protectively shut down the servers providing its online services. Employees have been working through the weekend to restore services and test and release a patch to users of its VSA software that will fix the issues exploited by the hackers, he said. That patch should be released within “hours,” Mr. Voccola said Monday afternoon.
The hackers were able to distribute ransomware by exploiting several vulnerabilities in the VSA software, a Kaseya spokeswoman said.
One of them, discovered by a Dutch security researcher, was in the process of being patched by Kaseya before the ransomware attack occurred, said Victor Gevers, chairman of the volunteer-run security group, the Dutch Institute for Vulnerability Disclosure.
“Kaseya understood the problem and they were rushing to produce a patch,” Mr. Gevers said. Mr. Gevers said the bug was due to a simple error in the company’s code.
About 50 of Kaseya’s customers were compromised and about 40 of those customers were sellers of IT services, known as managed service providers, Mr. Voccola said. By breaking into MSP’s, the hackers were able to expand their impact, performing what security experts call a supply-chain attack.
Security companies estimate that hundreds of organizations, all of them customers of those 40 or so service providers, have now been hit by the ransomware, making it one of the most widespread incidents to date. But almost all of them are small and medium-size organizations, cybersecurity experts said, with the impact often not immediately apparent to the wider public.
“A typical MSP has—ballpark—about 40 end-customers. The average one of their customers has about 20 endpoints and not all of the endpoints were even breached,” Mr. Voccola said in reference to the managed service providers. “It’s still too many, don’t get me wrong.”
Concerns about ransomware are at an all-time high, following extremely disruptive attacks on the Colonial Pipeline and food processor JBS SA .
In May, President Biden ordered U.S. agencies and software contractors that supply them to boost their defenses against cyberattacks that officials have said pose a growing threat to national security and public safety.
The hackers behind the latest incident are known as the REvil ransomware group. They are asking for $70 million to unlock all the affected systems but victims of the group can also pay amounts varying between $25,000 and $5 million directly to unlock their systems even if nobody pays the $70 million.
On Friday, REvil claimed to have infected 40,000 computers. By Sunday, that claim had ballooned to 1 million, a claim many cybersecurity experts treated with skepticism.
“One million seems like an enormous overestimate,” said Brett Callow, a threat analyst for cybersecurity company Emsisoft.
When reached through an intermediary, REvil declined to comment. “We don’t need a lot of noise. Only money,” one of the group’s members told the intermediary, the person said.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency advised Kaseya users to shut down their VSA servers on Friday and has been monitoring the situation.
President Biden over the weekend told reporters that he had been briefed on the attack and that U.S. officials were trying to determine the extent of the Russian government’s involvement. He added that he has warned Russian President Vladimir Putin that the U.S. would respond to Russian government-sponsored cyberattacks. At a recent summit with Mr. Putin, the U.S. president addressed cybersecurity and said critical infrastructure should be off-limits to attacks.
With this latest attack, REvil, which about a month ago collected a $11 million payment from JBS, appears to be signaling that it has not been deterred.
“Ever since Colonial, they have indicated that they are not backing down and they’re going to be even more focused on U.S. targets,” said Chris Krebs, a partner at the security consulting firm Krebs Stamos Group LLC. “What we’re seeing here is some signaling from the actors that these guys are here to stay.”
DoJ’s Crypto Czar Joins FinCEN In Brand-New Role: Why It Matters
While she was wrapping up her last day on the job, an affiliate of the notorious “REvil” gang, which is best known for extorting $11 million in Bitcoin (BTC) from meat processor JBS after an attack on Memorial Day, executed the single biggest global ransomware attack on record to kick off the July 4 holiday weekend resulting in a $70 million payday in Monero (XMR).
If REvil is successful, they could perform a second attack on the businesses that chose to pay the Mondero demand.
Michele Korver’s appointment to the U.S. Financial Crimes Enforcement Network promises to reduce illicit financial practices within the crypto space.
Talk about ending a stellar career at the United States Department of Justice with a bang. The DoJ’s first-ever “crypto czar,” Michele Korver, advised government attorneys, federal agents, the Department of the Treasury’s Financial Stability Oversight Council and the U.S. delegation to the Financial Action Task Force on cryptocurrency matters, and she developed cryptocurrency seizure and forfeiture policy and legislation.
REvil’s supply chain-targeted ransomware attack successfully spread malware to thousands of businesses in at least 17 countries that outsourced their IT department to Kaseya, a privately held company based in Dublin, Ireland.
It did so in one fell swoop, thanks to Kaseya’s compromised IT management software, VSA — According to a recent report by Cybereason titled “Ransomware: The True Cost to Business,” 80% of businesses that choose to pay a ransomware demand are targeted a second time. REvil could then turn around and launder the illicit proceeds on dark web markets, as outlined in a report issued by Flashpoint and Chainalysis.
Criminals prefer using cryptocurrency tumblers/mixing services or privacy coins like Monero when paying for illicit goods and services in order to obscure the trail back to the fund’s original source, points out Korver, who co-authored an article titled “Surfing the First Wave of Cryptocurrency Money Laundering” in a journal issued by the DoJ. As she writes:
“Criminals follow common paths when placing, layering, and integrating their ill-gotten cryptocurrency. Those paths go through several primary domains, including institutional exchanges, P2P exchangers, mixing and tumbling services, and traditional banks. […] Some of these primary domains, such as P2P exchangers and mixing services, appear to more directly cater to criminals in need of laundering cryptocurrency.”
For example, Korver explains: “To first possess cryptocurrency, criminals [including cyberattackers and ransom demanders] must set up wallets. Those wallets might be under their exclusive control [un-hosted wallets], or they might be custodial wallets hosted by a third-party service provider, such as an institutional exchange. Once in a wallet, funds can be sent to mixing services or gambling sites to obscure their historical trail.
From there, the funds can be converted to fiat currency through exchanges, P2P exchangers, or kiosks. Sometimes, the funds will then be sent to bank accounts or cryptocurrency debit cards where they can be used to buy things or pay off debts. While this is the typical way in which the primary domains appear in the PLI process, criminals can use the domains in almost any way they want: Wallets can be used to mix funds; P2P exchangers can be used to integrate the funds; and kiosks can be used for layering.
Criminals can also repeat the steps of the PLI process to further obfuscate the origin of the ill-gotten funds, though they incur additional costs and risk every time they repeat the cycle.”
In the context of ransomware payments, the number of which has increased by around 500% since the onset of the COVID-19 pandemic, Korver goes on to say that “Victims of ransomware attacks have relied on P2P exchangers.
With the rise of ransomware as a standardized criminal enterprise, an increasing number of victims have been forced to purchase cryptocurrency in short order. It has been estimated that 9% of Bitcoin transactions are attributable to ransomware or some other form of cyber extortion payment.
If it takes days or weeks to open a validated account at an institutional exchange, a P2P exchanger can offer cryptocurrency at a moment’s notice, and victims are willing to pay this speed premium. Victims have noted that ‘the processing times [at a registered institutional exchange] were far beyond the scope of the immediacy posed by the ransom’ and that a P2P exchanger was a better option for obtaining cryptocurrency in a hurry.”
Prior to Korver’s arrival at the Financial Crimes Enforcement Network, FinCEN authorities proposed a rule taking aim at transactions involving unhosted cryptocurrency wallets, which are generally software installed on a computer, phone or other device.
The cryptocurrency in an unhosted wallet are controlled by an individual, who can receive, send and exchange their crypto assets person-to-person with other unhosted wallets, or on an exchange platform, without revealing their identity — making it more difficult to trace and scrutinize transactions for Anti-Money Laundering and Counter-Terrorist Financing compliance risks.
These concerns are shared by the Financial Action Task Force (FATF), the intergovernmental body responsible for setting AML standards.
The updates proposed by the FAFT to its 2019 guidance expand the definition of a Virtual Asset Service Provider (VASP) to include several noncustodial cryptocurrency businesses, meaning they will be subject to AML/CFT regulations. Peer-to-peer decentralized exchanges/structures (except for rules that apply to all entities, like targeted financial sanctions) remain under review.
As cryptocurrencies — along with ransomware attacks — become more mainstream, Korver will advance FinCEN’s leadership role in the digital currency space by working across internal and external partners to bring forward strategic and innovative solutions to prevent and mitigate illicit financial practices and exploitation.
Kaseya Gets Tool to Unlock Data After Ransomware Attack
The tech company declined to disclose who provided the decryptor or if a ransom was paid.
The technology provider at the center of a ransomware attack this month said it obtained a tool to unlock data targeted by hackers in an incident that disrupted hundreds of firms in several countries.
Miami-based Kaseya Ltd. on Thursday said it received a universal decryptor that would help restore all the computer systems affected by the July 2 hack of one of its products, which acted as a springboard for hackers to reach New Zealand schools, a Dutch information-technology company and other organizations. The ransomware group behind the attack initially demanded $70 million for such a tool.
Kaseya spokeswoman Dana Liedholm described the source of the decryptor as a trusted third party, declining to elaborate or comment on whether a ransom was paid.
“We are actively and successfully using the tool to help those customers affected by the ransomware,” Ms. Liedholm added.
The attack targeted Kaseya’s virtual system administrator product, which helps clients manage their computer networks. The firm has released a series of updates to the tool over the past 10 days in the hope of mitigating the damage from the hack.
The Biden administration says it is taking an increasingly aggressive approach to ransomware, bolstering cyber standards for federal contractors and disrupting transactions used to launder ransom payments, as well as putting more public pressure on Russia, which it says provides safe harbor to hacking groups. The Kremlin has denied such claims.
Federal Bureau of Investigation Director Christopher Wray told The Wall Street Journal in June that authorities could also help some victims restore their systems without engaging hackers.
“I don’t want to suggest that this is the norm, but there have been instances where we’ve even been able to work with our partners to identify the encryption keys, which then would enable a company to actually unlock their data—even without paying the ransom,” he said.
It is unclear if authorities provided Kaseya with the decryptor Wednesday. A spokesman for the FBI said it is investigating the Kaseya hack but declined to comment further. The National Security Council didn’t immediately respond to a request for comment.
Coming amid a series of hacks that disrupted U.S. infrastructure, the Kaseya incident represented an escalation in ransomware tactics, cyber experts say. Hackers targeted a technology service provider and distributed ransomware among its customers and their respective clients, indiscriminately hacking the digital supply chain.
The initial breach of Kaseya’s product allowed hackers to reach dozens of customers that used it, including other service providers, company officials said. The attackers subsequently used those access points to enter computer networks of as many as 1,500 total victims, straining cybersecurity specialists who have responded to a surge in ransomware this year.
“For almost three weeks now, managed service providers and small-to-medium [sized] businesses have been working overtime to recover and restore systems,” said John Hammond, senior security researcher at cyber firm Huntress Labs Inc., which has been investigating the attack.
Kaseya got hold of the decryptor more than a week after a prolific criminal group suspected of the hack, known as REvil, went dark. The disappearance puzzled cybersecurity experts and left victims who had been negotiating with the group—not limited to Kaseya-related victims—in a lurch.
Ransom negotiators from the cyber firm GroupSense had been in talks with REvil on behalf of a hacked law firm on July 13 when they noticed its infrastructure to be unresponsive, Chief Executive Kurtis Minder said. REvil’s sites to chat with victims and “Happy Blog,” where it publicized stolen data, were down, he said.
The law firm, which wasn’t a Kaseya-related victim and which Mr. Minder declined to name, had hoped to pay REvil for a decryption key in lieu of proper backups of its data, he said. Mr. Minder and other cyber specialists working with such victims are now left wondering if the decryption key obtained by Kaseya will also work for them.
Decryptors don’t necessarily restore companies’ data as fast or comprehensively as victims would like, cyber experts say. But the Kaseya tool could help other companies that have been affected by REvil attacks, said Mike Hamilton, chief information security officer at Critical Insight Inc., a firm that is working with the gang’s victims.
“If the key is indeed universal,” he said Thursday, “we’d sure like a copy.”
Kaseya Recovers Data Stolen In Ransomware Attack With Mysterious Decryption Tool
The IT firm denies that it paid a ransom to the Russian hacker group in exchange for the decryption tool.
IT software provider, Kaseya, has announced it is providing its clients with a decryption tool to recover customer data that was locked in a ransomware attack earlier this month.
In a July 26 notice on its website, the global technology firm stated it has been assisting its customers with the restoration of their encrypted data in partnership with cybersecurity company Emsisoft.
It has been issuing a mysterious “decryptor” tool enabling customers to access data that had been locked by the malware disseminated in the July 2 attack.
“The decryption tool has proven 100% effective at decrypting files that were fully encrypted in the attack.”
The company has denied paying the $70 million in Bitcoin to the Russian hacker group, REvil — which took responsibility for the attack. Kaseya did not disclose how it came across the decryption software either, stating only that has not paid any ransom to get it.
Kaseya confirmed that, after consultation with experts, it decided not to negotiate with the criminals who perpetrated the attack, stating:
“We are confirming in no uncertain terms that Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor.”
On July 2, the ransomware hacking group REvil brought the networks of at least 200 U.S. companies to their knees by leveraging an unpatched zero-day vulnerability in Kaseya’s IT management and automation software (VSA).
The news comes as ransomware is coming under increasing scrutiny from lawmakers.
According to a July 9 Cointelegraph report, Michele Korver’s appointment to the U.S. Financial Crimes Enforcement Network (FinCEN) promises to reduce illicit financial practices within the crypto space. During her previous tenure at the Department of Justice, she developed cryptocurrency seizure and forfeiture policy and legislation.
U.S. senators and politicians have come down hard on the cryptocurrency sector, largely blaming the technological phenomenon for the increase in ransomware attacks. Following the Colonial Pipeline and JBS attacks in May and June, there were calls for a crackdown on cryptocurrency in the U.S. senate after digital assets were dubbed the “ransom payment of choice” for hackers.
Meatpacker JBS paid an $11 million Bitcoin ransom to REvil, while Colonial made a $4.4 million BTC payment to Russia-linked DarkSide.
REvil Ransomware Hits 200,REvil Ransomware Hits 200,REvil Ransomware Hits 200,REvil Ransomware Hits 200,REvil Ransomware Hits 200,REvil Ransomware Hits 200,REvil Ransomware Hits 200,REvil Ransomware Hits 200,REvil Ransomware Hits 200,REvil Ransomware Hits 200,REvil Ransomware Hits 200,REvil Ransomware Hits 200,REvil Ransomware Hits 200,REvil Ransomware Hits 200,REvil Ransomware Hits 200,REvil Ransomware Hits 200,REvil Ransomware Hits 200,REvil Ransomware Hits 200,REvil Ransomware Hits 200,REvil Ransomware Hits 200,REvil Ransomware Hits 200,REvil Ransomware Hits 200,REvil Ransomware Hits 200,REvil Ransomware Hits 200,REvil Ransomware Hits 200,REvil Ransomware Hits 200,REvil Ransomware Hits 200,REvil Ransomware Hits 200,