The demand was posted on a blog typically used by the REvil
cybercrime gang, a Russia-linked group that is counted among the cybercriminal
world's most prolific extortionists.
The gang has an affiliate structure, occasionally making it
difficult to determine who speaks on the hackers' behalf, but Allan Liska of
cybersecurity firm Recorded Future said the message "almost
certainly" came from REvil's core leadership.
The group has not responded to an attempt by Reuters to
reach it for comment.
One of the largest ransomware attacks in history spread
worldwide on Saturday, forcing the Swedish Coop grocery store chain to close
all 800 of its stores because it could not operate its cash registers.
The shutdown of the major food retailer followed Friday's
unusually sophisticated attack on US tech provider Kaseya. The ransomware gang
known as REvil is suspected of hijacking Kaseya's desktop management tool VSA
and pushing a malicious update that infect tech management providers serving
thousands of business.
Huntress Labs, one of the first to sound the alarm of the
wave of infections at the providers' clients, said Saturday that thousands of
small companies might have been hit.
Miami-based Kaseya said it was working with the FBI and that
only about 40 of its customers were impacted directly. It did not comment on
how many of those were providers that in turn spread the malicious software to
others.
In a statement late on Saturday, the FBI said it was
investigating in coordination with the US Cybersecurity and Infrastructure
Security Agency.
"We encourage all who might be affected to employ the
recommended mitigations and for users to follow Kaseya's guidance to shut down
VSA servers immediately," the agency said.
The impacted businesses had files encrypted and were left
electronic messages asking for ransom payments of thousands or millions of
dollars.
Some experts said the timing of the attack, on the Friday
before a long US holiday weekend, was aimed at spreading it as quickly as
possible while employees were away from the job.
"What we are seeing now in terms of victims is likely
just the tip of the iceberg," said Adam Meyers, senior vice president of
security company CrowdStrike.
President Joe Biden said on Saturday he has directed US
intelligence agencies to investigate who was behind the attack.
According to Coop, one of Sweden's biggest grocery chains, a
tool used to remotely update its checkout tills was affected by the attack, so
payments could not be taken.
"We have been troubleshooting and restoring all night,
but have communicated that we will need to keep the stores closed today,"
Coop spokesperson Therese Knapp told Swedish Television.
The Swedish news agency TT said Kaseya technology was used
by the Swedish company Visma Esscom, which manages servers and devices for a
number of Swedish businesses.
State railways services and a pharmacy chain also suffered
disruption.
"They have been hit in various degrees," Visma
Esscom chief executive Fabian Mogren told TT.
Defence Minister Peter Hultqvist told Swedish television the
attack was "very dangerous" and showed how business and state
agencies needed to improve their preparedness.
"In a different geopolitical situation, it may be
government actors who attack us in this way in order to shut down society and
create chaos," he said.