3rd July, 2021
A massive ransomware attack has paralyzed the networks of at least 200 U.S. companies, the Washington Times reported, quoting a cybersecurity researcher whose company was responding to the incident.
The REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack, said John Hammond of the security firm Huntress Labs.
He said the criminals targeted a software supplier called Kaseya, using its network management package as a conduit to spread the ransomware through cloud service providers.
Kaseya is based in Miami Florida.
Reuters reported that the attackers changed a Kaseya tool called VSA, used by companies that manage technology at smaller businesses. They then encrypted the files of those providers’ customers simultaneously.
Security firm Huntress said it was tracking eight managed service providers that had been used to infect some 200 clients.
Kaseya said on its own website that it was investigating a “potential attack” on VSA, which is used by IT professionals to manage servers, desktops, network devices and printers.
It said it shut down some of its infrastructure in response and that it was urging customers that used VSA on their premises to immediately turn off their servers.
“This is a colossal and devastating supply chain attack,” Huntress senior security researcher John Hammond said in an email, referring to an increasingly high profile hacker technique of hijacking one piece of software to compromise hundreds or thousands of users at a time.
Hammond added that because Kaseya is plugged in to everything from large enterprises to small companies “it has the potential to spread to any size or scale business.” Many managed service providers use VSA, although their customers may not realize it, experts said.
Some employees at service providers said on discussion boards that their clients had been hit before they could get a warning to them.
Reuters was not able to reach a Kaseya representative for further comment. Huntress said it believed the Russia-linked REvil ransomware gang – the same group of actors blamed by the FBI for paralyzing meat packer JBS (JBSS3.SA) last month – was to blame for the latest ransomware outbreak.
DEMANDS FOR RANSOM
A private security executive working on the response effort said that ransom demands accompanying the encryption ranged from a few thousand dollars to $5 million or more.
The corruption of an update process shows a marked escalation in sophistication from most ransomware attacks, which take advantage of security loopholes such as common passwords without two-factor authentication.
An email sent to the hackers seeking comment was not immediately returned. In a statement, the U.S. Cybersecurity and Infrastructure Security Agency said it was “taking action to understand and address the recent supply-chain ransomware attack” against Kaseya’s VSA product.
Supply chain attacks have crept to the top of the cybersecurity agenda after the United States accused hackers of operating at the Russian government’s direction and tampering with a network monitoring tool built by Texas software firm SolarWinds.
Kaseya has 40,000 customers for its products, though not all use the affected tool.
Between 6 and 12 May, Colonial Pipeline, an American oil pipeline system that originates in Houston, Texas, and carries gasoline and jet fuel mainly to the Southeastern United States, suffered a ransomware cyberattack.
The attack impacted computerized equipment managing the pipeline, disrupting gas supply to the eastern coast.
The company paid 75 bitcoins, worth $4.4million as ransom.
Weeks later, the FBI traced the hackers and recovered 63.7 out of the 75 bitcoins.