Corporations rushed to contain a ransomware attack that paralyzed their computer networks on Saturday, a situation made more difficult in the US by the low-level office space at the start of the July 4th holiday weekend.
In Sweden, according to SVT, the country’s public broadcaster, most of the 800 shops of the Coop grocery chain couldn’t open because their registers weren’t working. The Swedish State Railways and a large local pharmacy chain were also affected.
Cybersecurity experts say the REvil gang, a large Russian-speaking ransomware syndicate, appears to be behind the attack on a software provider named Kaseya Ransomware through cloud service providers.
Fred Voccola, CEO of Kaseya, said in a statement that the company believes it has identified the source of the vulnerability and “will release this patch as soon as possible to get our customers back up and running.”
John Hammond of security firm Huntress Labs said he knew a number of managed service providers – companies that host IT infrastructures for multiple customers – have been hit by ransomware that encrypts networks until victims pay the attackers.
“It is reasonable to assume that this could potentially affect thousands of small businesses,” Hammond said, relying on the service providers who reach out to his company for help and share comments on Reddit that show how others are reacting .
Voccola said fewer than 40 of Kaseya’s customers have been affected, but the ransomware could still affect hundreds more companies that rely on Kaseya’s customers for more comprehensive IT services.
Voccola said the problem only affects its “on-premise” customers, which means companies are running their own data centers. It has no impact on its cloud-based services that run software for customers, although Kaseya has also shut down those servers as a precautionary measure, he said.
The company added in a statement on Saturday that “customers who have experienced ransomware and receive a message from the attackers should not click links – they could be used as weapons”.
Gartner analyst Katell Thielemann said it was clear that Kaseya took action quickly, but it is less clear whether their affected customers had the same level of willingness.
“They responded with an abundance of caution,” she said. “But the reality of this event is that it is designed for maximum impact and combines a supply chain attack with a ransomware attack.”
Supply chain attacks are those that typically infiltrate widely used software and, when automatically updated, spread malware.
To make matters worse, this happened at the start of a major holiday weekend in the United States, when most of the company’s IT teams were under-staffed.
Dike releases and bank failures:Cyber professionals warn that worst cases are possible
It could also mean that these companies are unable to fix other security vulnerabilities, such as a dangerous Microsoft bug that affects software for print jobs, said James Shank of threat intelligence company Team Cymru.
“Kaseya’s customers are in the worst of cases,” he said. “You are racing against time to release updates on other critical bugs.”
Shank said, “It is reasonable to assume that the timing was planned by hackers for the holiday”.
The federal agency for cybersecurity and infrastructure security said in a statement that it is closely monitoring the situation and is working with the FBI to gather more information about its impact.
CISA urged anyone who could be affected “to follow Kaseya’s instructions to shut down VSA servers immediately”. Kaseya runs what is called a virtual system administrator, or VSA, which is used to remotely manage and monitor a customer’s network.
Privately held Kaseya is based in Dublin, Ireland with a US headquarters in Miami.
REvil, the group most experts linked to the attack, was the same ransomware provider the FBI linked to an attack on JBS SA, a major global meat processor, on Memorial Day holiday weekend in May.
The group has been active since April 2019 and offers ransomware-as-a-service, which means it develops the network-crippling software and rents it to so-called affiliates who infect targets and earn the lion’s share of the ransom money.
The Brazil-based meat company said it paid the hackers a $ 11 million ransom, escalating demands by US law enforcement agencies to bring such groups to justice.
#Ransomware #attack #hits #companies #software #provider #Kaseya