Researchers said cybercriminals were demanding $50,000 from smaller companies and $5 million from larger ones
A supply-chain ransomware attack that hit hours before the beginning of a holiday weekend has already affected more than 200 businesses, researchers said.
On Friday, information technology company Kaseya sent out a warning of a “potential attack” on its VSA tool, which is used by IT to manage and monitor computers remotely. Kaseya urged customers to shut down their servers running the service.
It was unclear late Friday how disruptive the attack might be on U.S. businesses. More than 40,000 organizations use Kaseya products, the company says, which includes VSA and other IT tools.
Researchers said cybercriminals were sending two different ransom notes on Friday — demanding $50,000 from smaller companies and $5 million from larger ones.
The U.S. Cybersecurity and Infrastructure Security Agency urged companies in a statement to follow Kaseya’s advice and said it is “taking action to understand and address the recent supply-chain ransomware attack.”
Huntress Labs, a cybersecurity software company that has clients who were affected by the attack, said it believes Russian-speaking hacking group REvil is behind the ransomware attack. That’s the same group that the FBI said was responsible for the attack on JBS Meats, which resulted in the company paying REvil $11 million in ransom.
Kaseya said in a memo from CEO Fred Voccola late Friday night that it learned of the “potential security incident” midday Friday. The company said it estimates fewer than 40 direct customers have been impacted. Researchers note that those customers could have their own clients who were, in turn, affected.
“We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for our on-premises customers that will be tested thoroughly,” Voccola wrote.
The assault came just weeks after President Biden met with Russian President Vladimir Putin in Geneva, warning him that the United States would hold Moscow accountable for cyber attacks that emanate from Russia. Many cybersecurity threat analysts believe that REvil operates largely out of Russia. The recent spate shows underscores the challenge facing the Biden administration in deterring ransomware attacks conducted by criminals given safe harbor in countries like Russia.
Huntress Labs said they had found eight managed service providers (MSPs) — companies that provide IT services to other companies on a contractual basis — that had been hit by the attack. Around 200 businesses that are served by these MSPs have been locked out of parts of their network, Huntress Labs said.
“It is absolutely the biggest non-nation state supply-chain cyberattack that we’ve ever seen,” Allan Liska, a researcher with cybersecurity firm Recorded Future, said Friday. “And it’s probably the biggest ransomware attack we’ve seen, at least the biggest since WannaCry.”
He noted it could be the largest number of companies one ransomware attack has hit. The companies affected could be a wide range of small to large firms, and many are likely to be small to midsized businesses that use managed IT services. Kaseya also counts a number of state and local governments as customers, Liska said.
The WannaCry computer worm affected hundreds of thousands of people in 2017. The National Security Agency eventually linked the North Korean government to the creation of the worm.
Ransomware attacks increased significantly in frequency and severity during 2020. A report from a task force of more than 60 experts said nearly 2,400 governments, health-care systems and schools in the country were hit by ransomware in 2020. Organizations paid attackers more than $412 million in ransom payments last year, according to analysis firm Chainalysis.
After a May attack on Colonial Pipeline — which spurred panicked lines at gas pumps and empty fuel stations — the U.S. government increased its emphasis on addressing cybersecurity issues, and urged corporate America to strengthen its computer security.
Ransomware attacks have been on the rise as hackers band together and form cybercriminal gangs to extort companies for payment. The attacks are often carried out by attackers in Russia and Eastern Europe.
Hackers gain access to a company’s computer system using tactics such as sending “phishing” emails, which are designed to trick employees into inadvertently installing malware on their computers.
Once inside, cybercriminals will lock down parts of the companies’ networks and demand payment to release them back to the owner. Additionally, hackers often steal private company information and threaten to leak it online if they are not paid.
It is still unclear how attackers gained access to Kaseya’s system. The company has been a popular target of REvil, Liska said, probably because it serves so many other organizations as customers.
The attackers included a ransom note directing victims to a website to pay a ransom, although Liska said the site had been down all afternoon and evening.
Kaseya spokesperson Dana Liedholm said its investigation of the incident is ongoing, and pointed to the company’s earlier statement.
The late Friday attack is unlikely to be a coincidence — such big attacks take planning and preparation, Liska said.
“The timing of this is definitely around knowing that it’s the Fourth of July weekend,” he said.