Posted by Clare Duffy, CNN Business

Businesses and governments around the world are striving to understand even more Major ransomware attack which was struck over the weekend in what could cost tens of millions of dollars and affect more than 1,000 other companies.

Hackers have hit a number of IT management companies and compromised their corporate customers by targeting a major software provider called Kaseya. On Monday the attackers did requested a payment of $ 70 million in Bitcoin in exchange for a decryption tool that could help victims recover from the attack.

Kaseya is the latest ransomware victim in a series of attacks that have also been hit Large fuel supplier Colonial Pipeline and Meat processor JBS Foodscausing concern among researchers, and business leaders US officials over Cyber ​​risks for physical and digital infrastructure.

With the attack just before a bank holiday weekend, the full extent of the damage may not be known until this week. Here’s what we know so far.

Who was affected?

On Friday afternoon, Kaseya was warned of a possible attack on remote management software called VSA, the company said in a report statement. Within an hour, it blocked access to this software in order to contain the spread of the attack. See you Saturday, US officials said they chased the attack.

Kaseya provides technology that helps other businesses manage their information technology – essentially the digital backbone of their operations. In many cases, Kaseya sells its technology to third party vendors who manage IT for other companies, often small and medium-sized businesses. In short, by attacking Kaseya’s software, attackers had easier access to the networks of different companies.

At the weekend, experts said the attack had killed at least a dozen IT support firms that rely on Kaseya’s remote management tool. The incident affects not only Kaseya’s IT management customers, but also the corporate customers of the companies that have outsourced IT management to them.

Kaseya on Tuesday said about 50 of its customers using the local version of VSA were directly compromised by the attack – but it said up to 1,500 downstream companies around the world were compromised. These include dental offices, small accounting offices and local restaurants, the company said.

Kaseya’s CEO Fred Voccola added in an interview with Reuters It is difficult to gauge the full impact of the attack on Monday, but he was unaware that nationally important organizations were endangered by the attack.

“We’re not looking at massive critical infrastructure,” he told Reuters. “It’s not our business. We do not operate the AT&T network or the Verizon 911 system. Nothing like that. “

Who was behind it?

REvil is the criminal hacker gang whose malware was behind the Kaseya attack, said cyber researchers.

The group, believed to be operating out of Eastern Europe or Russia, is one of the most notorious “ransomware-as-a-service” providers, which means they provide tools for others to carry out ransomware attacks and one Takes part of the profits. It also carries out some of its own attacks.

Experts have followed REvil since its launch in 2019 and quickly became something of a “thought leader” in the hacking space, said Jon DiMaggio, chief security strategist at Cyber ​​security firm Analyst1, which tracks ransomware groups. Several groups of hackers, including the DarkSide gang that ran the Colonial Pipeline May attack, believed to have been created by people who originally worked for REvil, DiMaggio said.

REvil It is believed to operate from Eastern Europe or Russia because its agents communicate online in Russian and its attacks are generally aimed at bypassing Russian devices, experts say. US officials have urged Russia Take action to prosecute cybercriminal groups operating in the country.

REvil was also behind several other high profile ransomware attacks recently – it hit JBS Foods Last month, Apple supplier Quanta Computer In April and electronics manufacturer Acer March.

About the time …

It is not surprising that the attack came just before a major bank holiday weekend. Experts say that holidays and long weekends are the best times for hackers to launch ransomware attacks, as it gives them more time to encrypt files and devices before anyone has a chance to notice and act.

According to DiMaggio, the execution of the attack on the weekend of July 4th could also have been intentional.

After US officials shut down DarkSide after the Colonial Pipeline attack and reclaimed some of the ransom received, REvil went on online hacking forums to say that ransomware groups would not be deterred by the United States, DiMaggio said.

“They always seemed to be against the US, but especially since DarkSide’s takedown, and now we’re seeing this massive attack on our infrastructure on Independence Day weekend,” he said. “I think it sends a very strong message.”

How did the White House react?

The White House has urged companies that believe their systems have been compromised by the attack to report this immediately to the Internet Crime Complaint Center.

“Since Friday, the US government has been working across agencies to evaluate the Kaseya ransomware incident and to help with the response,” said Anne Neuberger, deputy national security advisor for cyber and new technologies, on Sunday. “The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) worked with Kaseya and coordinated contact with affected victims.”

President Joe Biden also said in a news conference over the weekend that while officials are still investigating the source of the attack, the United States could retaliate if the Russian government is involved.

“If it happens to either knowledge and / or the consequences of Russia, then I have told Putin that we will respond,” Biden said on Saturday, referring to his meeting with the Russian leader last month. “We are not sure. At first we thought it wasn’t the Russian government, but we’re not sure yet. “

What shall we learn?

The attack on Kaseya points to a popular target for ransomware attackers: managed service providers. MSPs such as Kaseya’s customers enable companies to outsource certain software and services, such as IT management, to third parties, thereby avoiding the cost of hiring such experts in-house.

SolarWinds – the company run by one devastating security breach last year – Similarly provides IT management software to many Fortune 500 companies and government agencies.

While attacks on these types of vendors are not new, MSPs represent a great opportunity for hackers because of the way they interact with other companies’ networks, DiMaggio said. In many cases, there are no technical reviews of software updates from these vendors because they are considered “trusted” partners, making customers potentially vulnerable to attackers who could embed ransomware payloads in these updates.

“There will have to be more checks and balances for each third party,” he said.

The CNN Wire
™ & © 2021 Cable News Network, Inc., a WarnerMedia company. All rights reserved.

Source link
#Kaseya #massive #ransomware #attack #compromised #companies #News #channel

Leave a Reply