Widespread ransomware attack likely hit thousands of companies on eve of long weekend

On Saturday morning, information technology company Kaseya confirmed it had been hit by a "sophisticated cyberattack" on its VSA software - a set of tools used by IT departments to manage and monitor computers remotely. The company said only around 40 customers had been hit.

But since Kaseya's software is used by large IT companies that offer contracted services to hundreds of smaller businesses, the hack could have spread to thousands of victims. Kaseya warned all of its nearly 40,000 customers to disconnect their Kaseya software immediately. Cybersecurity firm Huntress Labs said they had tracked 20 IT companies, known as managed service providers, that had been hit. Over 1,000 of these companies' clients, mostly small businesses, had been hit by the hack too, Huntress Labs said on Reddit.

"I wouldn't be surprised if it was thousands of companies," said Fabian Wosar, chief technology officer of Emsisoft, a company that provides software and advice to help organizations defend against ransomware attacks. "We just don't know yet because of the long weekend in the U.S."

A major grocery chain in Sweden said Saturday that its IT provider had been hit by an attack, meaning its cash registers were locked up. It had to shut down hundreds of stores, the company, Coop Sweden, said on its Facebook page.

Because of the sheer number of companies potentially affected, the attack could prove to be one of the biggest in history. Researchers said REvil, the same hacker group that attacked JBS Meats earlier this year, was behind the attack.

The assault could ratchet up tensions between the U.S. and Russia, as it comes just weeks after President Joe Biden met with Russian President Vladimir Putin in Geneva, warning him that the United States would hold Moscow accountable for cyber attacks that emanate from Russia. Many cybersecurity threat analysts believe that REvil operates largely out of Russia. The recent spate shows underscores the challenge facing the Biden administration in deterring ransomware attacks conducted by criminals given safe harbor in countries like Russia.

Instead of a careful, targeted attack on a single large company, this hack seems to have used managed service providers to spread indiscriminately through a huge network of smaller companies. Unlike most ransomware attacks, it doesn't look like REvil tried to steal sensitive data before locking out its victims, Wosar said.

"At this point, at least it seems it was more a spray and pray attack, they didn't try to exfiltrate data from all the victims," he said. "It was more like carpet bombing."

"We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it," Kiyesa CEO Fred Voccola wrote in a statement Friday night.

Researchers said cybercriminals were sending two different ransom notes on Friday - demanding $50,000 from smaller companies and $5 million from larger ones.

The U.S. Cybersecurity and Infrastructure Security Agency urged companies in a statement to follow Kaseya's advice and said it is "taking action to understand and address the recent supply-chain ransomware attack."

"It is absolutely the biggest non-nation state supply-chain cyberattack that we've ever seen," Allan Liska, a researcher with cybersecurity firm Recorded Future, said Friday. "And it's probably the biggest ransomware attack we've seen, at least the biggest since WannaCry."

He noted it could be the largest number of companies one ransomware attack has hit. The companies affected could be a wide range of small to large firms, and many are likely to be small to midsized businesses that use managed IT services. Kaseya also counts a number of state and local governments as customers, Liska said.

The WannaCry computer worm affected hundreds of thousands of people in 2017. The National Security Agency eventually linked the North Korean government to the creation of the worm.

Ransomware attacks increased significantly in frequency and severity during 2020. A report from a task force of more than 60 experts said nearly 2,400 governments, health-care systems and schools in the country were hit by ransomware in 2020. Organizations paid attackers more than $412 million in ransom payments last year, according to analysis firm Chainalysis.

After a May attack on Colonial Pipeline - which spurred panicked lines at gas pumps and empty fuel stations - the U.S. government increased its emphasis on addressing cybersecurity issues, and urged corporate America to strengthen its computer security.

Ransomware attacks have been on the rise as hackers band together and form cybercriminal gangs to extort companies for payment. The attacks are often carried out by attackers in Russia and Eastern Europe.

Hackers gain access to a company's computer system using tactics such as sending "phishing" emails, which are designed to trick employees into inadvertently installing malware on their computers.

Once inside, cybercriminals will lock down parts of the companies' networks and demand payment to release them back to the owner. Additionally, hackers often steal private company information and threaten to leak it online if they are not paid.

It is still unclear how attackers gained access to Kaseya's system. The company has been a popular target of REvil, Liska said, probably because it serves so many other organizations as customers.

The attackers included a ransom note directing victims to a website to pay a ransom, although Liska said the site had been down all afternoon and evening.

Kaseya spokesperson Dana Liedholm said its investigation of the incident is ongoing, and pointed to the company's earlier statement.