A ransomware attack took down the networks of at least 200 U.S. companies on Friday (July 2).
The REvil gang, a major Russian-language ransomware group, appears to be behind the attack, said John Hammond of security firm Huntress Labs. The criminals targeted a software vendor called Kaseya, using its network management package as a conduit to distribute ransomware through cloud service providers, he said. Other researchers agreed with Hammond’s assessment.
In a tweet, Hammond said, “Kaseya deals with both large and small companies globally, so eventually, this has the potential to expand to businesses of any size.”
Hammond said: “This is a huge and devastating supply chain attack.”
Such cyberattacks typically infiltrate widely used software and spread when malware is automatically updated.
It is unclear how many Kaseya customers may have been affected, or who they may be. in a statement on its Web site, Kaseya urged customers to immediately shut down servers running the affected software. The company said the attack was limited to a “small number” of customers.
‘SolarWinds with ransomware’
Brett Callow, a ransomware expert at cybersecurity firm Emsisoft, said he doesn’t know if ransomware supply chain attacks of this magnitude have happened before. There have been some, he said, but they were fairly small.
“It’s SolarWinds with ransomware,” he said. He was referring to the Russian cyber espionage hacking campaign discovered last December that spread by infecting network management software to infiltrate U.S. federal agencies and dozens of companies.
Jack Williams, president cybersecurity researcher at Rendition Infosec, said he has worked with six companies that have been hit by ransomware. He said it’s no coincidence that this happened before the July 4 weekend, when IT staff was generally scarce.
“There’s no doubt in my mind that it was intentional in terms of the timing,” he said.
Huntress’ Hammond said he was aware of four companies hosting IT infrastructure for multiple customers that were attacked by ransomware that encrypts networks until the victims pay the fees demanded by the attackers. Thousands of computers have been attacked, he said.
Hammond said, “We currently have three Huntress partners and about 200 businesses that have been encrypted.”
Hammond wrote in a tweet, “Based on everything we’re seeing right now, we’re convinced this is REvil/Sodinikibi.” The FBI linked the same ransomware provider to the May attack on JBS SA, a major global meat processor.
In a statement issued late Friday, the federal Cybersecurity and Infrastructure Security Agency said it is closely monitoring the situation and working with the FBI to gather more information about its impact.
CISA urged anyone who may have been affected to “follow Kaseya’s instructions to immediately shut down VSA servers. Kaseya runs so-called virtual system administrators, or VSAs, which are used to remotely manage and monitor customers’ networks.
Privately held Kaseya says it is based in Dublin, Ireland, with U.S. headquarters in Miami. The Miami Herald recently called the company “one of Miami’s oldest technology companies” in a story about its plans to hire up to 500 employees by 2022 as a result of its recent acquisition of a cybersecurity platform.
“This is a classic supply chain attack where criminals compromise a trusted company supplier and abuse that trust to attack their customers,” Brian Honan, an Irish cybersecurity consultant, said in an email Friday.
Small businesses may have a hard time defending themselves against this type of attack because they “rely on the security of their vendors and the software those vendors use,” he said.
Recovery may be easier
The only good news, says Rendition Infosec’s Williams, is that “many of our customers don’t have Kaseya installed on every computer in their network,” making it harder for an attacker to gain full control of the organization’s computer systems.
That makes recovery easier, he said.
The REvil organization, active since April 2019, offers “ransomware for services,” meaning it develops network-crippling software and rents it to so-called affiliates who infect targets and earn most of the ransom.
REvil is one of the ransomware gangs that steals data from targeted organizations before activating the ransomware to increase the ransom bargaining chip, and the average ransom paid to the group last year was about $500,000, the Palo Alto Networks cybersecurity firm said in a recent report.
Some cybersecurity experts predict the group may have trouble handling ransom negotiations given the number of victims, but the long weekend holiday in the United States may give it more time to prepare.