It is not yet known how many companies are being hit by ransom demands in order to get their systems up and running again. However, some cybersecurity researchers predict that the attack on customers of software provider Kaseya could be one of the most comprehensive ransomware attacks in history.
It follows a scourge of headline-grabbing attacks in recent months that have sparked diplomatic tension between US President Joe Biden and Russian President Vladimir Putin over whether Russia has become a safe haven for cyber criminals.
Biden said on Saturday that he does not yet know exactly who was responsible, but suggested that the US would react if Russia had anything to do with it.
“If it happens either with knowledge of and or a consequence of Russia, I have told Putin that we will answer,” said Biden. “We’re not sure. The first thought was that it wasn’t the Russian government.”
Cyber security experts say the REvil gang, a large Russian-speaking ransomware syndicate, appears to be behind the attack on software company Kaseya, which uses its network management package as a channel to spread the ransomware through cloud service providers.
“The number of victims here is already over a thousand and will probably be in the tens of thousands,” said cybersecurity expert Dmitri Alperovitch from the think tank Silverado Policy Accelerator. “No other ransomware campaign comes close in terms of impact.”
Cyber security firm ESET says there are victims in at least 17 countries including the UK, South Africa, Canada, Argentina, Mexico, Kenya and Germany.
In Sweden, according to SVT, the country’s public broadcaster, most of the 800 shops of the Coop grocery chain couldn’t open because their registers weren’t working. The Swedish State Railways and a large local pharmacy chain were also affected.
Fred Voccola, CEO of Kaseya, said in a statement that the company believes it has identified the source of the vulnerability and “will release this patch as soon as possible to get our customers back up and running.”
Voccola said fewer than 40 of Kaseya’s customers were affected, but experts said the ransomware could still affect hundreds more companies that rely on Kaseya’s customers to provide more comprehensive IT services.
John Hammond of security firm Huntress Labs said he knew a number of managed service providers – companies that host IT infrastructures for multiple customers – have been hit by ransomware that encrypts networks until victims pay the attackers.
“It’s reasonable to assume that this could potentially affect thousands of small businesses,” Hammond said, basing his estimate on the service providers who are reaching out to his company for help and comments on Reddit that show how others are doing react.
At least some victims appeared to be receiving $ 45,000 ransom money, which is considered a small claim but which could quickly add up if requested by thousands of victims, said Brett Callow, a ransomware expert at cybersecurity firm Emsisoft .
Callow said it is not uncommon for sophisticated ransomware gangs to do an audit after stealing a victim’s financial records to see what they can really pay for, but that will not be possible when there are so many victims with that can be negotiated.
“You have just brought the level of demand to a level most companies are willing to pay for,” he said.
Voccola said the problem only affects its “on-premise” customers, which means companies are running their own data centers. It has no impact on its cloud-based services that run software for customers, although Kaseya has also shut down those servers as a precautionary measure, he said.
The company added in a statement on Saturday that “customers who have experienced ransomware and receive a message from the attackers should not click links – they could be used as weapons.”
Gartner analyst Katell Thielemann said it was clear that Kaseya took action quickly, but it is less clear whether their affected customers had the same level of willingness.
“You reacted with great caution,” she said. “But the reality of this event is that it is designed for maximum impact, combining a supply chain attack with a ransomware attack.”
Supply chain attacks are those that typically infiltrate widely used software and, when automatically updated, spread malware.
To make matters worse, this happened at the start of a major holiday weekend in the United States, when most of the company’s IT teams were under-staffed.
It could also mean that these companies are unable to fix other security vulnerabilities, such as a dangerous Microsoft bug that affects software for print jobs, said James Shank of threat intelligence company Team Cymru.
“Kaseya’s customers are in the worst of cases,” he said. “You’re running against time to post updates on other critical bugs.”
Shank said “it is reasonable to assume that the timing was planned by hackers for the vacation”.
The US Chamber of Commerce said it affects hundreds of companies and is “another reminder that the US government must fight these foreign cybercriminal syndicates” by investigating, disrupting and prosecuting them.
The federal agency for cybersecurity and infrastructure security said in a statement that it is closely monitoring the situation and is working with the FBI to gather more information about its impact.
CISA urged anyone who could be affected “to follow Kaseya’s instructions to shut down VSA servers immediately”. Kaseya runs what is called a virtual system administrator, or VSA, which is used to remotely manage and monitor a customer’s network.
Privately held Kaseya is based in Dublin, Ireland with a US headquarters in Miami.
REvil, the group most experts linked to the attack, was the same ransomware provider the FBI linked to an attack on JBS SA, a major global meat processor that struck on Memorial Day holiday weekend in May Had to pay a ransom of $ 11 million.
The group has been active since April 2019 and offers ransomware-as-a-service, which means it develops the network-crippling software and rents it to so-called affiliates who infect targets and earn the lion’s share of the ransom money.
US officials said the most powerful ransomware gangs are based in Russia and allied states and operate with the tolerance of the Kremlin and sometimes collaborate with Russian security services.
Alperovitch said he believed the latest attack was financially motivated and not Kremlin-led.
However, he said it shows that Putin “has not yet moved” to shut down cybercriminals in Russia after Biden urged him to do so at their June summit in Switzerland.
When asked about the attack during a trip to Michigan on Saturday, Biden said he had asked the secret service for a “deep insight” into the events. He said he expected to know more by Sunday.
AP reporters Frank Bajak in Boston, Eric Tucker in Washington, and Josh Boak in Central Lake, Michigan contributed to this report.
Copyright © 2021 by The Associated Press. All rights reserved.
#Ransomware #attack #group #hackers #cripples #companies #worldwide