While the headlines blare about REvil offering to decrypt all victims of the Kaseya attack if they are paid $70 million, some companies have apparently already taken to individual negotiations with the threat actors.
Over on SuspectFile, Marco A. De Felice is careful not to name the victim, but describes one such set of negotiatons going on. The chat logs he observed suggest that there is a lot of confusion with perhaps more than one set of negotiations going on for the same victim. There is also inconsistency in the ransom demands being made for an individual company, with it variously being listed as $550,000 but settling for $225,000, and in another place it appeared to be less than $50,000.
But Marco also raises the question: who is uploading and pointing people to these negotiations and chats on threat actors’ servers? Marco hypothesizes that it is the threat actors themselves. It’s an interesting hypothesis, but I’d still be more inclined to believe that it is an employee of a firm with knowledge of the attack(s). But do read his post and see what you think of it all.
Kaseya’s updates can be found here. Another update is due today between 8:00 am and noon EDT. Although early reports suggested that malware was pushed out after being injected into the codebase, the firm later stated that this was a direct attack on victims by use of a 0-day. The number of victims seems to vary wildly from source to source and report to report, but remember that each single victim/client of Kaseya may have downstream clients, so the total number of companies impacted may be quite large.