Cybersecurity teams worked indefatigably on Sunday to stem the single biggest global ransomware attack on record as details unfold of how the Russia-linked gang responsible breached the company company whose software was the conduit.

An affiliate of the notorious REvil gang infected thousands of victims in at least 17 countries on Friday, largely through firms that remotely manage IT infrastructure for multiple customers, cybersecurity researchers said.

REvil was demanding ransoms of up to $5 million, the researchers said. But late Sunday it offered in a posting on its dark web site a universal decryptor software key that would unscramble all affected machines in exchange for $70 million in cryptocurrency.

Deputy National Security Advisor Anne Neuberger later issued a statement saying President Joe Biden had “directed the full resources of the government to investigate this incident” and urged all who believed they were compromised to alert the FBI.

Less than a month ago, Biden urged Russian President Vladimir Putin to stop giving safe haven to REvil and other ransomware gangs whose unrelenting extortionary attacks the US deems a national security threat.

A broad array of businesses and public agencies were hit by the latest attack, the cybersecurity firm Sophos reported.

The Swedish grocery chain Coop said most of its 800 stores would be closed for a second day on Sunday because their cash register software supplier was crippled. A Swedish pharmacy chain, gas station chain, the state railway and public broadcaster SVT were also hit.

In Germany, an unnamed IT services company told authorities several thousand of its customers were compromised, the news agency dpa reported. Also among reported victims were two big Dutch IT services companies – VelzArt and Hoppenbrouwer Techniek. Most ransomware victims don’t publicly report attacks or disclose if they’ve paid ransoms.

CEO Fred Voccola of the breached software company, Kaseya, estimated the victim number in the low thousands, mostly small businesses like “dental practices, architecture firms, plastic surgery centers, libraries, things like that.”

Voccola said in an interview that only between 50-60 of the company’s 37,000 customers were compromised. But 70 per cent were managed service providers who use the company’s hacked VSA software to manage multiple customers. It automates the installation of software and security updates and manages backups and other vital tasks.

Kaseya said it sent a detection tool to nearly 900 customers on Saturday night.

The REvil offer to offer blanket decryption for all victims of the Kaseya attack in exchange for $70 million suggested its inability to cope with the sheer quantity of infected networks, said Allan Liska, an analyst with the cybersecurity firm Recorded Future.

“This attack is a lot bigger than they expected and it is getting a lot of attention. It is in REvil’s interest to end it quickly,” said Liska. “This is a nightmare to manage.”

Analyst Brett Callow of Emsisoft said he suspects REvil is hoping insurers might crunch the numbers and determine the $70 million will be cheaper for them than extended downtime.

Dutch researchers said they alerted Miami-based Kaseya to the breach and said the criminals used a “zero day,” the industry term for a previous unknown security hole in software. Voccola would not confirm that or offer details of the breach – except to say that it was not phishing.

“The level of sophistication here was extraordinary,” he said.

When the cybersecurity firm Mandiant finishes its investigation, Voccola said he is confident it will show that the criminals didn’t just violate Kaseya code in breaking into his network but also exploited vulnerabilities in third-party software.

The cybersecurity firm ESET identified victims in least 17 countries, including the United Kingdom, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand and Kenya.

Kaseya says the attack only affected “on-premise” customers, organizations running their own data centers, as opposed to its cloud-based services that run software for customers. It also shut down those servers as a precaution, however.

Kaseya, which called on customers on Friday to shut down their VSA servers immediately, said on Sunday it hoped to have a patch in the next few days.