Businesses rushed Saturday to contain a ransomware attack that paralyzed their computer networks, a situation complicated in the US by understaffed offices at the start of the July 4 holiday weekend.
In Sweden, most of the Coop supermarket chain’s 800 stores were unable to open because their cash registers were not working, according to SVT, the country’s public broadcaster. The Swedish State Railways and a large local pharmacy chain were also affected.
Cybersecurity experts say the REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack that targeted a software vendor called Kaseya, which used its network management suite as a channel to spread the ransomware through cloud service providers.
Kaseya CEO Fred Voccola said in a statement that the company believes it has identified the source of the vulnerability and “will release that patch as soon as possible to get our customers up and running again.”
John Hammond of security firm Huntress Labs said he was aware of a number of managed service providers — companies that host IT infrastructure for multiple customers — that have been hit by the ransomware, which encrypts networks until victims pay off the attackers.
“It’s reasonable to think that this could potentially affect thousands of small businesses,” said Hammond, basing his estimate on the service providers reaching out to his company for help and comments on Reddit showing how others are responding.
Voccola said fewer than 40 of Kaseya’s customers were affected, but the ransomware could still affect hundreds of businesses that depend on Kaseya’s customers to provide broader IT services.
Voccola said the problem only affects its “on-premise” customers, meaning organizations have their own data centers. It will not affect the cloud-based services that run software for customers, although Kaseya has also shut down those servers as a precaution, he said.
The company added in a statement on Saturday that “customers who have experienced ransomware and receive a message from the attackers should not click on links — they can be weaponized.”
Gartner analyst Katell Thielemann said it’s clear that Kaseya acted quickly, but it’s less clear whether their affected customers had the same level of preparedness.
“They responded with an abundance of caution,” she said. “But the reality of this event is that it is designed for maximum impact, combining a supply chain attack with a ransomware attack.”
Supply chain attacks are attacks that typically infiltrate commonly used software and spread malware while it is automatically updated.
The reaction is complicated by the fact that it happened at the start of a major holiday weekend in the US, when most corporate IT teams are not fully staffed.
That would also leave those organizations unable to address other security vulnerabilities, such as a dangerous Microsoft bug affecting print job software, said James Shank of Threat Intelligence firm Team Cymru.
“Kaseya’s customers are in the worst possible situation,” he said. “They are racing against time to bring out the updates on other critical bugs.”
Shank said “it’s reasonable to think the timing was planned” by hackers before the holiday.
The federal Cybersecurity and Infrastructure Security Agency said in a statement it is closely monitoring the situation and is working with the FBI to gather more information about its impact.
CISA urged everyone to “follow Kaseya’s guidelines to shut down VSA servers immediately.” Kaseya runs a so-called Virtual System Administrator, or VSA, which is used to remotely manage and monitor a customer’s network.
The privately owned Kaseya is based in Dublin, Ireland, with a US headquarters in Miami.
REvil, the group most experts have linked to the attack, was the same ransomware provider the FBI linked to an attack on JBS SA, a major global meat processor, over the Memorial Day holiday weekend in May.
The group has been operating since April 2019 and offers ransomware-as-a-service, meaning it develops and leases the network-crippling software to so-called affiliates that infect targets and earn the bulk of the ransom.
The Brazil-based meat company said it paid the equivalent of an $11 million ransom to the hackers, escalating calls from US law enforcement to bring such groups to justice.
Subscribe to The Washington City Times on YouTube.