'If Russia doesn't deal with cyber criminals, we will': Psaki issues warning to Putin after Biden was accused of being 'weak' in response to massive REvil ransomware attack

The White House warned the Kremlin on Tuesday that if they don't take action against Russian-linked criminal actors and hackers, the U.S. will retaliate.

'I will just reiterate a message that these top national officials are sending, as the president made clear to President Putin when they met: If the Russian government cannot, or will not take action against criminal actors residing in Russia, we will take action – or reserve the right to take action on our own,' President Joe Biden's Press Secretary Jen Psaki told reporters during her briefing Tuesday.

Psaki added: 'A high level of our national security team has been in touch with a high level of Russian officials.'

She also previewed that these expert-level discussions will continue next week with another meeting 'focused on ransomware attacks.' 

The press secretary said that the U.S. intelligence community has still not attributed the attack to Russia, although a hacking gang linked to the nation, REvil, has claimed responsibility for the cyberattack. 

White House Press Secretary Jen Psaki said Tuesday: 'If the Russian government cannot, or will not take action against criminal actors residing in Russia, we will take action' in response to cyberattacks 

'The intelligence community has not yet attributed the attack,' Psaki said.

'The cybersecurity community agrees that our evil operates out of Russia with affiliates around the world,' she continued, 'but in our conversations, and we have been in touch directly, we are continuing to convey that message clearly.'

Even if the attack is not coming directly from the Kremlin, Psaki said, the administration still believes Puin has a responsibility to take action against those operating criminally within Russian against private entities in other countries.

REvil was able to breach Kaseya, a Miami-based IT firm, and use their malware protection product to target, it claims, up to 1 million different businesses in at least 17 different countries.

The gang is publicly demanding $70 million bitcoin to fix the issue, which the White House is advising Kaseya against.

REvil has lowered their asking price to $50 million, according to private negotiations reported by Reuters on Monday. 

'Our ransomware policy continues to be the same as it has been for several months, which is we do not advise – we advise against, in fact – companies paying ransomware, given it incentivizes bad actors to repeat this behavior,' she said Tuesday, adding she is not sure 'whether the company has paid ransom.' 

Critics are lashing out at President Joe Biden for not keeping his promise to get tough on Russia over cyberattacks after the most recent REvil hack targeted up to 1 million companies

Biden has faced a slew of criticism for his slow response to the ransomware attack and his failure to 'get tough' on Russia despite vowing retaliation if there were any attacks on U.S. critical infrastructure.

John Katko told DailyMail.com Monday night the U.S. is 'facing a time of reckoning' in relations with Russia.

'Only weeks after President Biden sat down with Putin and allegedly talked a tough game with Russia, hackers from Russia again attacked thousands of U.S. companies, compromising our nation's critical infrastructure,' Katko, ranking member of the House Committee on Homeland Security, said.

'We're facing a moment of reckoning when it comes to deterrence,' the New York congressman continued. 'Adversaries like Russia are creating safe havens for bad actors and we must project strength.'

Critics are applying pressure to Biden after he promised to get tough on Russia – and has failed so far to follow through on responding after a Kremlin-linked hacking group attacked the systems of at least 1,500 businesses.

Although Biden has instructed the FBI to launch an investigation into the hack, he insists he is still 'not sure who' is behind the cyberattack.

'Bad actors like these are emboldened when President Biden projects weakness on the world stage,' Georgia Representative Buddy Carter told DailyMail.com.

He added: 'We should take immediate action to hold Russia accountable and make it clear we will not tolerate acts cyber terrorism.'

Committee on Homeland Security Ranking Member John Katko told DailyMail.com that the U.S. is 'facing a time of reckoning' as President Joe Biden still hasn't responded to a Russian-linked ransomware attack that could have affected up to 1 million companies

Cyber attack on US IT provider forces Swedish grocery store chain to close ALL 800 stores 

The Swedish Coop grocery store chain closed all its 800 stores on Saturday after the ransomware attack on Kaseya left it unable to operate its cash registers.

According to Coop, one of Sweden's biggest grocery chains, a tool used to remotely update its checkout tills was affected by the attack, meaning payments could not be taken.

'We have been troubleshooting and restoring all night, but have communicated that we will need to keep the stores closed today,' Coop spokesperson Therese Knapp told Swedish Television.

The Swedish news agency TT said Kaseya technology was used by the Swedish company Visma Esscom, which manages servers and devices for a number of Swedish businesses.

State railways services and a pharmacy chain were also impacted by the attack.

'They have been hit in various degrees,' Visma Esscom chief executive Fabian Mogren told TT.

Defence Minister Peter Hultqvist told Swedish Television the attack was 'very dangerous' and showed business and state agencies need to better prepare. 'In a different geopolitical situation, it may be government actors who attack us in this way in order to shut down society and create chaos,' he said.

Katko says U.S. critical infrastructure sectors are increasingly vulnerable to cyber attacks.

'I am currently leading a legislative effort to codify what constitutes Systemically Important Critical Infrastructure into law. This will be an important step in more robustly securing our nation's key industries and sectors against attacks by adversaries like Russia,' the lawmaker said.

REvil, the ransomware gang also known as Sodinokibi, claims it hit up to 1 million companies and is still publicly demanding $70 million in cryptocurrency to restore data it is holding ransom.

Jack Cable of the cybersecurity-focused Krebs Stamos Group told Reuters that one of the gang's affiliates negotiated with him and said he could sell a 'universal decryptor' for all the victims for $50 million.

Cable informed Reuters that he was able to get through to the REvil hackers after obtaining a cryptographic key needed to log on to the group's payment portal.

Reuters was then able to log on to the payment portal and chat with an operator who insisted the price remained at $70 million, but said 'we are always ready to negotiate.'

Biden told Russian President Vladimir Putin during a bilateral meeting in Geneva last month that he would retaliate against hacking groups that target the U.S., and on Saturday the president told reporters that he will take action against the ransomware attack.

Also during that meeting on June 16, Biden said he gave a list to Putin of 16 'off-limits' critical infrastructure entities.

'Remember when President Biden gave Putin a list of things that were supposed to be off-limits for cyber attacks?' House Minority Leader Kevin McCarthy tweeted on Saturday.

'What he SHOULD have said is that ALL American targets are off-limits,' the California Republican continued.

He added: 'Biden is soft on crime and weak against Putin.'

Those 'off-limits' entities include energy, water, health care, emergency, chemical, nuclear, communications, government, defense, food, commercial facilities, IT, transportation, dams, manufacturing and financial services.

The most recent REvil hack, which was launched Friday, was aimed at breaching the IT systems of companies in at least 17 countries.

'Hard to see this as anything other than Putin tellin' Biden to f*** off,' one journalist wrote on Twitter.

Experts believe this could be the biggest ransomware attack on record.

This specific type of cyber attack is a form of digital hostage-taking where hackers encrypt victims' data and then demand money for restored access.

Swedish grocery stores, which remained closed on Tuesday, as well as kindergartens in New Zealand, pharmacies, gas stations and two major Dutch IT firms were among the victims of the Friday hack.

REvil breached Kaseya, a Miami-based IT firm, and used the company's malware protection product to scale the attack across the world.

'This marks a serious escalation just weeks after Putin-Biden summit on ransomware,' New York Times cybersecurity reporter Nicole Perlroth tweeted Saturday.

'Not only is this a supply chain attack on MSPs,' she continued, 'they broke in via a zero day, a significant advance for REVil which has traditionally compromised victims through usual means of phishing, etc.' 

House Minority Leader Kevin McCarthy said Biden is 'weak against Putin'. He tweeted: 'Remember when President Biden gave Putin a list of things that were supposed to be off-limits for cyber attacks? What he SHOULD have said is that ALL American targets are off-limits'

Author Greg Olear wrote that it's time to retaliate.

'Its time,' he tweeted on Saturday. 'Kick them off the world banking system. Shut off the pipeline. No more appeasement.'

Others slammed President Biden as 'weak' for his slow response to the global cyberattack. 

During a trip to Central Lake, Michigan on Saturday, Biden said he would take action against the actors once more is known – casting doubt on whether the attack came from Russia.

'We're not sure who it is,' the president said, while he celebrated the start of July 4 weekend at a cherry farm in the Great Lake State.

'The initial thinking was it was not the Russian government but we're not sure yet,' he continued as he fumbled with a paper in his suit jacket pocket with notes from a briefing on the situation beforehand.

He added: 'If it is either with the knowledge of and/or a consequence of Russia, then I told Putin we will respond.'

Biden said that he would respond more on Sunday, July 4, but did not release anything more on the incident on Independence Day.

The latest hack is believed to be the largest ransomware attack on record and affected the IT systems of up to 1 million companies across the world. 

Biden and Putin held bilateral talks in Geneva on June 16 where the U.S. president said he gave his counterpart a list of 16 critical infrastructure entities that are 'off limits', including IT, which was targeted by the REvil hack

Satnam Narang, a researcher at cyber exposure company Tenable, tweeted a screenshot of a blog post the hacking collective had posted on the dark web

Kaseya says just a few dozen of its customers were directly affected by the attack, but knock-on effects have brought down firms in 17 countries - with one expert saying the attack is 'unprecedented' in its scale and sophistication.

REvil, which was behind the recent hack of meat processor JBS which saw an $11million ransom paid, has been negotiating ransoms of up to $5million with individual firms - but now says for $70million it will unlock all affected networks.

Joe Biden, who last month warned President Putin to take action against hacking groups targeting the US from Russia, said the FBI is investigating the latest hack and he will take action if Moscow is deemed to be responsible.

Analysts said it is no coincidence that the attack coincided with the July 4 holiday weekend, when companies would be under-staffed and less able to respond.  

Ciaran Martin, founder of the UK's National Cyber Security Centre, told Radio 4: 'The scale and sophistication of this global crime is rare, if not unprecedented.

'It is a really serious, global operation.' 

Swedish grocery chain Coop was forced to close all 800 of its stores on Sunday and said they would remain shut on Monday after its tills were affected.

The country's national rail operator and public broadcaster SVT were also affected.

In Germany, an unnamed IT services company told authorities several thousand of its customers were compromised.

Also among reported victims were two big Dutch IT services companies - VelzArt and Hoppenbrouwer Techniek.

But most victims are believed to be small to medium-sized firms that are unlikely to publicly announce they have been infected - car dealerships, hair salons and accounting firms, among others.

Cybersecurity teams worked feverishly Sunday to stem the impact of the single biggest global ransomware attack on record, with some details emerging about how the Russia-linked gang responsible breached the company whose software was the conduit.

An affiliate of the notorious REvil gang, best known for extorting $11 million from the meat-processor JBS after a Memorial Day attack, infected thousands of victims in at least 17 countries on Friday, largely through firms that remotely manage IT infrastructure for multiple customers, cybersecurity researchers said.

Earlier, the FBI said in a statement that while it was investigating the attack its scale 'may make it so that we are unable to respond to each victim individually.' 

Deputy National Security Advisor Anne Neuberger later issued a statement saying President Joe Biden had 'directed the full resources of the government to investigate this incident' and urged all who believed they were compromised to alert the FBI.

The president told reporters Saturday that it is not yet clear who is behind the latest cybersecurity breach to strike American businesses but insisted that he 'will respond' if it is tied to Russian President Vladimir Putin.

'We're not sure who it is,' he said, while he celebrated the start of July 4 weekend at a cherry farm in Central Lake, Michigan.

'The initial thinking was it was not the Russian government but we're not sure yet.'

He added: 'If it is either with the knowledge of and/or a consequence of Russia, then I told Putin we will respond.'

Biden warned that the US will retaliate if it finds out Russia was behind the mass cyberattack that hit at least 1,000 firms in the run-up to July 4 weekend. Biden speaking at a cherry farm store in Central Lake, Michigan Saturday

Less than a month ago, Biden pressed Russian President Vladimir Putin to stop giving safe haven to REvil and other ransomware gangs whose unrelenting extortionary attacks the U.S. deems a national security threat. 

A broad array of businesses and public agencies were hit by the latest attack, apparently on all continents, including in financial services, travel and leisure and the public sector - though few large companies, cybersecurity firm Sophos reported. 

Ransomware criminals infiltrate networks and sow malware that cripples them by scrambling all their data. Victims get a decoder key when they pay up. Most ransomware victims don't publicly report attacks or disclose if they've paid ransoms.

The Swedish grocery chain Coop said most of its 800 stores would be closed for a second day Sunday because their cash register software supplier was crippled. A Swedish pharmacy chain, gas station chain, the state railway and public broadcaster SVT were also hit.

In Germany, an unnamed IT services company told authorities several thousand of its customers were compromised, the news agency dpa reported. Also among reported victims were two big Dutch IT services companies — VelzArt and Hoppenbrouwer Techniek. 

CEO Fred Voccola of the breached software company, Kaseya, estimated the victim number in the low thousands, mostly small businesses like 'dental practices, architecture firms, plastic surgery centers, libraries, things like that.'

Voccola said in an interview that only between 50-60 of the company's 37,000 customers were compromised. But 70% were managed service providers who use the company's hacked VSA software to manage multiple customers. It automates the installation of software and security updates and manages backups and other vital tasks.

Experts say it was no coincidence that REvil launched the attack at the start of the Fourth of July holiday weekend, knowing U.S. offices would be lightly staffed. Many victims may not learn of it until they are back at work on Monday. Most end users of managed service providers 'have no idea' whose software keep their networks humming, said Voccola,

Kaseya said it sent a detection tool to nearly 900 customers on Saturday night.

The REvil offer to offer blanket decryption for all victims of the Kaseya attack in exchange for $70 million suggested its inability to cope with the sheer quantity of infected networks, said Allan Liska, an analyst with the cybersecurity firm Recorded Future. Although analysts reported seeing demands of $5 million and $500,000 for bigger targets, it was apparently demanding $45,000 for most.

'This attack is a lot bigger than they expected and it is getting a lot of attention. It is in REvil's interest to end it quickly,' said Liska. 'This is a nightmare to manage.'

Analyst Brett Callow of Emsisoft said he suspects REvil is hoping insurers might crunch the numbers and determine the $70 million will be cheaper for them than extended downtime.

Sophisticated ransomware gangs on REvil's level usually examine a victim's financial records — and insurance policies if they can find them — from files they steal before activating the ransomware. The criminals then threaten to dump the stolen data online unless paid. In this attack, that appears not to have happened.

Dutch researchers said they alerted Miami-based Kaseya to the breach and said the criminals used a 'zero day,' the industry term for a previous unknown security hole in software. Voccola would not confirm that or offer details of the breach — except to say that it was not phishing.

'The level of sophistication here was extraordinary,' he said.

When the cybersecurity firm Mandiant finishes its investigation, Voccola said he is confident it will show that the criminals didn't just violate Kaseya code in breaking into his network but also exploited vulnerabilities in third-party software.

It was not the first ransomware attack to leverage managed services providers. In 2019, criminals hobbled the networks of 22 Texas municipalities through one. That same year, 400 U.S. dental practices were crippled in a separate attack.

One of the Dutch vulnerability researchers, Victor Gevers, said his team is worried about products like Kaseya's VSA because of the total control of vast computing resources they can offer. 'More and more of the products that are used to keep networks safe and secure are showing structural weaknesses,' he wrote in a blog Sunday.

The cybersecurity firm ESET identified victims in least 17 countries, including the United Kingdom, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand and Kenya.

Kaseya says the attack only affected 'on-premise' customers, organizations running their own data centers, as opposed to its cloud-based services that run software for customers. It also shut down those servers as a precaution, however.

Kaseya, which called on customers Friday to shut down their VSA servers immediately, said Sunday it hoped to have a patch in the next few days.

Active since April 2019, REvil provides ransomware-as-a-service, meaning it develops the network-paralyzing software and leases it to so-called affiliates who infect targets and earn the lion's share of ransoms. U.S. officials say the most potent ransomware gangs are based in Russia and allied states and operate with Kremlin tolerance and sometimes collude with Russian security services.

Cybersecurity expert Dmitri Alperovitch of the Silverado Policy Accelerator think tank said that while he does not believe the Kaseya attack is Kremlin-directed, it shows that Putin 'has not yet moved' on shutting down cybercriminals.