Hackers launched a global ransomware attack on Friday, affecting more than 1,000 businesses and forcing Swedish supermarket chain Coop to close hundreds of stores.
In what appears to be one of the largest supply chain attacks to date, hackers have compromised Kaseya, a provider of IT management software, to spread ransomware to the managed service providers using the technology, and in turn to their customers.
Cybersecurity group Huntress Labs said on Saturday it had identified 20 compromised managed service providers, with more than 1,000 of its customers the victims of ransomware attacks — in which data is encrypted by hackers and only released if a ransom is paid.
Among them, Coop in Sweden said it closed all but five of its 800 stores on Saturday after the attack meant the POS system and cash registers stopped working. Coop was hit after its managed service provider Vissma Escom was hit, it said.
Huntress attributed the attacks to REvil, the infamous Russia-affiliated ransomware cartel that the FBI claimed was behind the recent crippling attack on beef supplier JBS.
The incident is the latest example of hackers arming the IT supply chain to attack victims on a massive scale by hacking into just one provider. Last year, it was revealed that Russian state-backed hackers had hijacked the SolarWinds IT software group to penetrate the email networks of US federal agencies and companies.
Kaseya said in a blog post that it had been the victim of a “sophisticated cyber attack” and that about 40 of its direct 36,000 customers were affected. It urged those using the compromised “VSA server” tool, which provides remote monitoring and patching capabilities, to shut it down immediately.
“Our outside experts advised us that customers who have experienced ransomware and receive communications from the attackers should not click on links — they could be weaponized,” it said.
“We believe we have identified the source of the vulnerability and are preparing a patch to mitigate it for our on-premises customers, which will be rigorously tested,” the company added.
Allan Liska of Recorded Future’s computer security incident response team said managed service providers’ customers are mostly small and medium-sized businesses seeking IT support, with the attacks highlighting the risks of relying on centralized third parties.
“We’ve essentially transferred too much trust so that if something happens to them, it becomes a catastrophic event for your organization through no fault of your own,” he said.
In a warning on Friday, the Cybersecurity and Infrastructure Security Agency said it is “taking action to understand and address the recent ransomware attack in the supply chain”.
The campaign is the latest in a series of daring ransomware attacks this year, including one on America’s Colonial Pipeline, that have led to pledges from the Biden administration to crack down on the perpetrators.
At last month’s Geneva summit, President Joe Biden urged Russian President Vladimir Putin to rein in ransomware hackers, who many believe are operating in the country with impunity.