Businesses worldwide rushed Saturday to contain a ransomware attack
that had paralyzed their computer networks, a situation exacerbated in the United States
by offices that were understaffed at the start of the Fourth of July holiday
It is unknown how many organizations have been hit by demands to pay a ransom in order to restore their systems, but some cybersecurity
researchers believe the attack targeting Kaseya customers could be one of the largest ransomware attacks on record — even after a rash of headline-grabbing attacks in recent months.
“The number of victims here is already over a thousand and will likely reach the tens of thousands,” said Silverado Policy Accelerator think tank cybersecurity expert Dmitri Alperovitch, “and no other ransomware campaign comes even close in terms of impact
According to the cybersecurity firm ESET, at least 17 countries have been affected, including the United Kingdom
, South Africa
, Argentina, Mexico
, and Spain
According to SVT, the country's public broadcaster, most of the grocery chain Coop's 800 stores in Sweden were unable to open due to malfunctioning cash registers, as were the Swedish State Railways and a major local pharmacy chain.
According to cybersecurity experts, the REvil
gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack on software company Kaseya, using its network-management package as a conduit to spread ransomware through cloud-service providers.
In a statement, Kaseya CEO
Fred Voccola stated that the company believes it has identified the source of the vulnerability and will “release that patch as soon as possible to get our customers back up and running.”
Fewer than 40 Kaseya customers have been identified as having been affected, according to Voccola, but experts believe the ransomware could still be affecting hundreds more businesses that rely on Kaseya's clients who provide broader IT services.
According to John Hammond of security firm Huntress Labs
, a number of managed-services providers — companies that host IT infrastructure
for multiple customers — have been hit by the ransomware, which encrypts networks until victims pay the attackers.
“It’s reasonable to believe this could potentially affect thousands of small businesses,” Hammond said, basing his estimate on service providers contacting his company for help and comments on Reddit demonstrating how others are reacting.
According to Brett Callow, a ransomware expert at the cybersecurity firm Emsisoft, at least some victims appeared to be receiving ransoms of $45,000, a small demand but one that could quickly add up when sought from thousands of victims.
Callow stated that it is not uncommon for sophisticated ransomware gangs to perform an audit after stealing a victim's financial records in order to determine how much they can truly pay, but this will not be possible at this scale.
“They simply pitched the demand amount at a level that most companies would be willing to pay,” he explained.
The problem, according to Voccola, only affects its “on-premise” customers, which are organizations that run their own data centers, and not its cloud-based services that run software for customers, though Kaseya did shut down those servers as a precaution.
In a statement released
on Saturday, the company stated that “customers who experienced ransomware and received a communication from the attackers should not click on any links because they may be weaponized.”
According to Gartner analyst Katell Thielemann, it is clear that Kaseya acted quickly, but it is unclear whether their affected clients were as prepared.
“They reacted cautiously,” she explained, “but the reality of this event is that it was designed for maximum impact, combining a supply chain attack with a ransomware attack.”
Supply chain attacks infiltrate widely used software and spread malware as it automatically updates.
The fact that it occurred at the start of a major holiday weekend in the United States complicates the response because most corporate IT teams are understaffed.
According to James Shank of threat intelligence firm Team Cymru, this could also leave those organizations unable to address other security flaws, such as a dangerous Microsoft
bug affecting software for print jobs
“Kaseya customers are in the worst possible situation,” he said, “because they are racing against the clock to get updates out on other critical bugs.”
According to Shank, it's "reasonable to believe" that hackers
planned the timing for the holiday.
According to the US Chamber of Commerce, the incident impacted hundreds of businesses and served as “another reminder that the US government must take the fight to these foreign cybercriminal syndicates” by investigating, disrupting, and prosecuting them.
In a statement, the federal Cybersecurity and Infrastructure Security Agency said it is closely monitoring the situation and is collaborating with the FBI
to gather more information about its impact.
CISA advised anyone who may be affected to “follow Kaseya’s guidance to shut down VSA servers immediately.” Kaseya operates what is known as a virtual system administrator, or VSA, which is used to remotely manage and monitor a customer’s network.
Kaseya is headquartered in Dublin, Ireland
, with a US office in Miami
REvil, the group most experts blame for the attack, was the same ransomware provider that the FBI blamed for an attack on JBS SA, a major global meat processor forced to pay a $11 million ransom during the Memorial Day
holiday weekend in May.
The group, which has been active since April
2019, provides ransomware-as-a-service, which means it develops the network-paralyzing software and leases it to so-called affiliates, who infect targets and earn the majority of the ransoms.
According to US officials, the most powerful ransomware gangs are based in Russia and allied states, operate with Kremlin approval, and occasionally collaborate with Russian security services.
Alperovitch believes the latest attack is purely commercial in nature
and not Kremlin-directed.
However, he stated that it demonstrates that Russian President Vladimir Putin
has “yet to move” on shutting down cybercriminals within Russia after US President Joe Biden
pressed him to do so during their June summit in Switzerland.
When asked about the attack during a visit to Michigan
on Saturday, Biden said he had just been briefed and didn't know if the Russians were to blame, but that he expected to know more by Sunday.
This story was contributed to by Associated Press
reporters Frank Bajak in Boston
and Eric Tucker in Washington