WASHINGTON – A ransomware attack crippled the networks of at least 200 U.S. companies on Friday, according to a cybersecurity researcher whose company was responding to the incident.
The REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack, said John Hammond of security firm Huntress Labs. He said the criminals targeted a software vendor called Kaseya, using its network management package as a way to distribute the ransomware through cloud service providers. Other researchers agreed with Hammond’s assessment.
Such cyber attacks usually infiltrate widely used software and spread malware when updating automatically.
It was not immediately clear how many Kaseya customers might be affected or who they might be. Kaseya urged customers in a statement posted on its website to immediately shut down servers running affected software. He said the attack was limited to a “small number” of his clients.
Brett Callow, a ransomware expert at cybersecurity firm Emsisoft, said he was not aware of any ransomware supply chain attacks on this scale. There have been others, but they were quite minor, he said.
“It’s SolarWinds with ransomware,” he said. He was referring to a Russian cyber espionage hacking campaign discovered in December that spread by infecting network management software to infiltrate US federal agencies and dozens of companies.
Cybersecurity researcher Jake Williams, president of Rendition Infosec, said he is already working with six companies affected by the ransomware. It is no coincidence that this happened before the weekend of July 4, when IT staff are generally tight, he added.
“There is no doubt in my mind that the timing here was intentional,” he said.
Hammond of Huntress said he was aware that four managed service providers – companies that host IT infrastructure for multiple clients – were affected by the ransomware, which encrypts networks until victims pay attackers. He said thousands of computers have been affected.
“We currently have three Huntress partners who are impacted by about 200 businesses that have been encrypted,” Hammond said.
Hammond wrote on Twitter: “Based on everything we’re seeing right now, we strongly believe this is REvil / Sodinikibi. The FBI has linked the same ransomware vendor to an attack in May on JBS SA, a major global meat processor.
The Federal Agency for Cybersecurity and Infrastructure Security said in a statement Friday evening that it was closely monitoring the situation and working with the FBI to gather more information on its impact.
CISA urged anyone who may be affected to “follow Kaseya’s advice to immediately shut down the VSA servers.” Kaseya runs what is called a Virtual System Administrator, or VSA, which is used to remotely manage and monitor a customer’s network.
Private company Kaseya says it is based in Dublin, Ireland, with a US headquarters in Miami. The Miami Herald recently described it as “one of Miami’s oldest tech companies” in a report on its intention to hire up to 500 workers by 2022 to staff a newly acquired cybersecurity platform.
Brian Honan, an Irish cybersecurity consultant, said by email on Friday that “this is a classic supply chain attack in which criminals have compromised a trusted company supplier and abused of this confidence to attack their customers “.
He said it can be difficult for small businesses to defend themselves against this type of attack because they “rely on the security of their vendors and the software they use.”
The only good news, said Williams, of Rendition Infosec, is that “a lot of our customers don’t have Kaseya on every machine on their network,” making it harder for attackers to navigate their computer systems. an organization.
It makes recovery easier, he said.
Active since April 2019, the group known as REvil provides ransomware-as-a-service, which means it develops the software crippling the network and leases it to so-called affiliates who infect targets and earn the lion’s share of the ransoms.
REvil is one of the ransomware gangs that steal data from targets before activating the ransomware, boosting their extortion efforts. The average ransom payment to the group was around half a million dollars last year, cybersecurity firm Palo Alto Networks said in a recent report.
Some cybersecurity experts predicted that it might be difficult for the gang to manage the ransom negotiations, given the large number of victims – although the long American holiday weekend may give them more time to start working. on the list.
Bajak reported from Boston; O’Brien contributed from Providence, Rhode Island.