Ransomware attack before holiday leaves companies scrambling – WSVN 7News | Miami News, Weather, Sports

(AP) – Businesses around the world rushed Saturday to contain a ransomware attack that paralyzed their computer networks, a situation complicated by sparsely staffed offices at the start of the July 4th holiday weekend in the US.

It is not yet known how many companies are being hit by ransom demands in order to get their systems up and running again. However, some cybersecurity researchers predict that the attack on software vendor Kaseya’s customers could be one of the most comprehensive ransomware attacks of all time – even after a scourge of headline attacks in recent months.

“The number of victims here is already over a thousand and will likely go into the tens of thousands,” said cybersecurity expert Dmitri Alperovitch of the Silverado Policy Accelerator think tank. “No other ransomware campaign comes close in terms of impact.”

Cybersecurity firm ESET says there are victims in at least 17 countries including the UK, South Africa, Canada, Argentina, Mexico and Spain.

In Sweden, most of the 800 shops of the Coop grocery chain couldn’t open because their registers weren’t working, according to the public broadcaster SVT. The Swedish State Railways and a large local pharmacy chain were also affected.

Cyber ​​security experts say the REvil gang, a large Russian-speaking ransomware syndicate, appears to be behind the attack on software company Kaseya, which is using its network management package as a channel to spread the ransomware through cloud service providers.

Fred Voccola, CEO of Kaseya, said in a statement that the company believes it has identified the source of the vulnerability and “will release this patch as soon as possible to get our customers back up and running.”

Voccola said fewer than 40 of Kaseya’s customers were affected, but experts said the ransomware could still affect hundreds more companies that rely on Kaseya’s customers to provide more comprehensive IT services.

John Hammond of security firm Huntress Labs said he knew a number of managed services providers – companies that host IT infrastructures for multiple customers – have been hit by ransomware that encrypts networks until victims pay the attackers.

“It’s reasonable to assume that this could potentially affect thousands of small businesses,” Hammond said, relying on the service providers who reach out to his company for help and share comments on Reddit that show how others are reacting .

At least some victims appeared to be getting a $ 45,000 ransom, which is considered a small claim but which could quickly add up if requested by thousands of victims, said Brett Callow, a ransomware expert at cybersecurity firm Emsisoft .

Callow said it’s not uncommon for sophisticated ransomware gangs to conduct an audit after stealing a victim’s financial records to see what they can really pay for, but it won’t be possible on this scale.

“You have just brought the amount of demand to a level that most companies are willing to pay,” he said.

Voccola said the problem only affects its “on-premise” customers, which means companies are running their own data centers. It has no impact on its cloud-based services that run software for customers, although Kaseya has shut down those servers as a precautionary measure, he said.

The company added in a statement on Saturday that “customers who have experienced ransomware and receive a message from the attackers should not click links – they could be used as weapons”.

Gartner analyst Katell Thielemann said it was clear that Kaseya took action quickly, but it is less clear whether their affected customers had the same level of willingness.

“They responded with an abundance of caution,” she said. “But the reality of this event is that it is designed for maximum impact, combining a supply chain attack with a ransomware attack.”

Supply chain attacks are those that typically infiltrate widely used software and, when automatically updated, spread malware.

To make matters worse, this happened at the beginning of a major holiday weekend in the United States, when most of the company’s IT teams were under-staffed.

It could also prevent these companies from being able to fix other security vulnerabilities, such as a dangerous Microsoft bug that affects software for print jobs, said James Shank of threat intelligence company Team Cymru.

“Kaseya’s customers are in the worst of cases,” he said. “You are racing against time to release updates on other critical bugs.”

Shank said, “It is reasonable to assume that the timing was planned by hackers for the holiday”.

The US Chamber of Commerce said it affects hundreds of companies and is “another reminder that the US government must fight these foreign cybercriminal syndicates” by investigating, disrupting and prosecuting them.

The federal agency for cybersecurity and infrastructure security said in a statement that it is closely monitoring the situation and is working with the FBI to gather more information about its impact.

CISA urged anyone who could be affected “to follow Kaseya’s instructions to shut down VSA servers immediately”. Kaseya runs what is called a virtual system administrator, or VSA, which is used to remotely manage and monitor a customer’s network.

The privately owned Kaseya is based in Dublin, Ireland, with a US headquarters in Miami.

REvil, the group most experts linked to the attack, was the same ransomware provider the FBI linked to an attack on JBS SA, a major global meat processor that struck on Memorial Day holiday weekend in May Had to pay a ransom of $ 11 million.

The group, which has been active since April 2019, offers ransomware-as-a-service, which means it develops the network-crippling software and rents it to so-called affiliates who infect targets and earn the lion’s share of the ransom.

US officials said the most powerful ransomware gangs are based in Russia and allied states and operate with the tolerance of the Kremlin and sometimes collaborate with Russian security services.

Alperovitch said he believed the latest attack was financially motivated and not Kremlin-led.

However, he said it shows that Russian President Vladimir Putin “has not yet moved” to shut down cybercriminals in Russia after US President Joe Biden urged him to do so at their June summit in Switzerland.

When asked about the attack during a trip to Michigan on Saturday, Biden said he had just been informed that he was not sure the Russians were responsible. He said he expected to know more by Sunday.

Copyright 2021 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

Subscribe to our newsletter for the latest news straight to your inbox

Comments are closed.