According to a cybersecurity researcher whose company was investigating the issue, a ransomware attack stopped the networks of at least 200 U.S. companies on Friday, causing them to go offline.
According to John Hammond of the security firm Huntress Labs, the hack appears to have been carried out by the REvil gang, a prominent Russian-speaking ransomware group. He said that the hackers targeted a software supplier named Kaseya and that they used the company’s network-management package as a conduit to propagate the ransomware among cloud-service providers. According to Hammond’s assessment, other researchers concurred.
Hammond on Twitter sent a direct message, “Kaseya handles businesses of all sizes, from major corporations to tiny enterprises throughout the world. “Ultimately, (this) has the potential to expand to any size or scale business. This is a massive and destructive supply chain attack,”
Cyberattacks of this kind often penetrate commonly used software and distribute malware when the software upgrades automatically.
It was unclear how many Kaseya customers could have been affected or who they might have been at the time of posting. According to a statement on the company’s website, Kaseya recommended clients immediately shut down servers using the vulnerable software. As per the company, the attack was restricted to a “small number” of its clients.
Emsisoft’s Brett Callow, a ransomware expert who works for the company, said he was not aware of any prior ransomware supply-chain attacks of this magnitude. There have been a few more, but they have all been very small, according to him.
His explanation: “This is SolarWinds infected with ransomware.” He was alluding to a Russian cyber espionage hacking effort that was uncovered in December and expanded by infecting network management software, allowing it to infiltrate federal agencies in the United States as well as a large number of businesses.
Jake Williams, president of Rendition Infosec, a cybersecurity research company, said he was already dealing with six organizations that had been infected by ransomware. He went on to say that it was no coincidence that this occurred before the Fourth of July weekend when IT personnel is often weak.
In his words, “There is absolutely no doubt in my opinion that the timing here was deliberate.”
Among the victims of ransomware, according to Huntress, are four managed-services providers — firms that host IT infrastructure for several different clients. Ransomware encrypts networks until the victims pay off attackers. He claimed that thousands of PCs had been compromised.
In the meantime, Hammond added, “We now have three Huntress partners who are impacted by about 200 firms that have been encrypted.”
“Based on what we are seeing right now, we are certain that this (is) REvil/Sodinikibi,” Hammond said on Twitter. According to the FBI, the same ransomware supplier was responsible for an assault on JBS SA, a large global meat processor, in May.
The federal Cybersecurity and Infrastructure Security Agency said in a statement issued late Friday that it is actively watching the situation and is collaborating with the FBI to gather additional information about the scenario’s potential consequences.
“Follow Kaseya’s instructions to shut down VSA servers immediately,” the CISA advised anybody who could be affected. It is Kaseya who operates what is known as a virtual system administrator (or VSA), which is used to remotely administer and monitor a customer’s network.
Kaseya, which is privately held, claims to be headquartered in Dublin, Ireland, with a U.S. headquarters in Miami. In an article on the company’s plans to hire as many as 500 employees by 2022 to operate a recently acquired cybersecurity platform, the Miami Herald referred to it as “one of Miami’s oldest digital businesses.”
According to Brian Honan, an Irish cybersecurity specialist, “this is a classic supply chain assault in which the crooks have infiltrated a trusted supplier of firms and have misused that trust to target their clients,” according to an email sent Friday.
It might be difficult for smaller firms to defend themselves against this sort of assault, according to him, since they “rely on the security of their suppliers and the software that those suppliers are using.”
It is only because “a lot of our customers do not have Kaseya installed on every workstation in their network,” according to Williams of Rendition Infosec, that attackers will be able to travel more easily throughout an organization’s computer systems. According to him, this makes recuperation less difficult.
Known as REvil, the cybercriminal organization has been active since April 2019. It delivers ransomware as a service, which means that it develops the crippling malware and rents it to so-called affiliates who infect targets and collect the lion’s share of the ransoms collected.
REvil is one of the ransomware gangs that steal data from their targets before triggering the ransomware, allowing them to increase the amount of money they may demand in ransom. According to a recent analysis by the cybersecurity firm Palo Alto Networks, the average ransom payment to the gang was about half a million dollars last year, according to the group.
Given the enormous number of victims, several cybersecurity experts expected that the gang would struggle to handle the ransom discussions — albeit the lengthy US holiday weekend may provide them with extra time to begin going down the list.