Sun, December 05, 2021


Widespread ransomware attack could affect hundreds of businesses

A supply-chain ransomware attack that hit hours before the beginning of a holiday weekend has already affected more than 200 businesses, researchers said.

On Friday, information technology company Kaseya sent out a warning of a "potential attack" on its VSA tool, which is used by IT to manage and monitor computers remotely. Kaseya urged customers to shut down their servers running the service.

"Its critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA," the company said.

It was unclear late Friday how disruptive the attack might be on U.S. businesses. More than 40,000 organizations use Kaseya products, the company says, which includes VSA and other IT tools.

Researchers said cybercriminals were sending two different ransom notes on Friday - demanding $50,000 from smaller companies and $5 million from larger ones.

The U.S. Cybersecurity and Infrastructure Security Agency urged companies in a statement to follow Kaseya's advice and said it is "taking action to understand and address the recent supply-chain ransomware attack."

Huntress Labs, a cybersecurity software company which has clients that were affected by the attack, said they believe hacking group REvil is behind the ransomware attack. That's the same group that the FBI said was responsible for the attack on JBS Meats, which resulted in the company paying REvil $11 million in ransom.

Huntress Labs said they had found eight Managed Service Providers - companies that provide IT services to other companies on a contractual basis - that had been hit by the attack. Around 200 businesses that are served by these MSPs have been locked out of parts of their network, Huntress Labs said.

"It is absolutely the biggest non-nation state supply-chain cyberattack that we've ever seen," Allan Liska, a researcher with cybersecurity firm Recorded Future, said Friday. "And it's probably the biggest ransomware attack we've seen, at least the biggest since WannaCry."

He noted it could be the largest number of companies one ransomware attack has hit. The companies affected could be a wide range of small to large firms, and many are likely to be small to midsized businesses that use managed IT services. Kaseya also counts a number of state and local governments as customers, Liska said.

The WannaCry computer worm affected hundreds of thousands of people in 2017. The National Security Agency eventually linked the North Korean government to the creation of the worm.

Ransomware attacks increased significantly in frequency and severity during 2020. A report from a task force of more than 60 experts said nearly 2,400 governments, health-care systems and schools in the country were hit by ransomware in 2020. Organizations paid attackers more than $412 million in ransom payments last year, according to analysis firm Chainalysis.

After a May attack on Colonial Pipeline - which spurred panicked lines at gas pumps and empty fuel stations - the U.S. government increased its emphasis on addressing cybersecurity issues, and urged corporate America to strengthen its computer security.

Ransomware attacks have been on the rise as hackers band together and form cybercriminal gangs to extort companies for payment. The attacks are often carried out by attackers in Russia and Eastern Europe.

Hackers gain access to a company's computer system using tactics such as sending "phishing" emails, which are designed to trick employees into inadvertently installing malware on their computers.

Once inside, cybercriminals will lock down parts of the companies' networks, and demand payment to release them back to the owner. Hackers often also steal private company information and threaten to leak it online if they are not paid.

It is still unclear exactly how attackers gained access to Kaseya's system. The company has been a popular target of REvil, Liska said, likely because it serves so many other organizations as customers.

The attackers included a ransom note directing victims to a website to pay a ransom, though Liska said the site had been down all afternoon and evening.

Kaseya spokesperson Dana Liedholm said its investigation of the incident is ongoing, and pointed to the company's earlier statement.

The late Friday attack is unlikely to be a coincidence - such big attacks take planning and preparation, Liska said.

"The timing of this is definitely around knowing that it's the Fourth of July weekend," he said.

Published : July 03, 2021

By : The Washington Post · Rachel Lerman, Gerrit De Vynck