A ransomware attack that disrupted computer networks forced businesses to scramble on Saturday to restore control, a situation made worse in the United States by companies working with skeleton staff in advance of the July 4th holiday weekend.

Cash registers at the majority of the grocery chain Coop’s 800 stores were unable to open as a result of the failure of the cash registers, according to Sweden’s national television. The Swedish State Railways and a major local pharmacy chain were also affected by the incident.

In the opinion of cybersecurity experts, the REvil gang, a major Russian-language ransomware organization, appears to have been behind the attack on a software supplier named Kaseya, using the company’s network management package as a conduit to distribute the ransomware through cloud computing services providers.

Kaseya CEO Fred Voccola said late Friday night that the firm believes it has identified the source of the vulnerability and that the company will “issue the patch as quickly as feasible to get our customers back online.”

John Hammond of security firm Huntress Labs reports that a number of managed services providers — companies that host IT infrastructure for a large number of customers — have been hit with the ransomware, which locks networks until the victims pay the attackers a ransom. In his estimation, many thousand computers had been hacked.

“It is reasonable to assume that this will have an impact on thousands of small businesses,” Hammond said, citing service providers who have come out to his firm for assistance as well as Reddit comments showing how others are responding.

Even though less than 40 of Kaseya’s customers have been recognized as being affected, Voccola believes that the ransomware may infect hundreds more companies that rely on Kaseya’s clients that provide a broader range of information technology services.

According to Voccola, the issue only affects customers that own and manage their own data center facilities. It has no impact on Kaseya’s cloud-based services, which are used to run client software, but Kaseya has shut down those servers as a precaution, he said.

“Customers who have been affected by ransomware and get contact from the attackers should avoid clicking on any links since they may be weaponized,” the firm warned in a statement on Saturday.

According to Gartner analyst Katell Thielemann, while Kaseya responded quickly, it is unclear if the company’s affected customers were equally prepared to deal with the situation.

“They were extremely cautious in their behavior,” she said. Nevertheless, the reality of this event is that it was planned for maximum impact, combining a supply chain attack with a ransomware attack.

Supply chain hacks often target commonly used software and spread malware via automatic software updates.

To make things worse, it happened at the start of a major holiday weekend in the United States, when the majority of business information technology departments are understaffed.

The National Institute of Standards and Technology (NIST) stated in a statement that it is closely monitoring the situation and working with the FBI to gather additional information about the attack’s impact.

CISA urged anybody who may be affected to “follow Kaseya’s recommendations to immediately shut down VSA servers,” according to the organization. Kaseya makes use of a virtual system administrator, also known as a VSA, to manage and monitor a customer’s network from a distant location.

Incorporated in Dublin, Ireland, and Miami, Florida, United States, Kaseya is a privately held business having offices in both countries.

REvil, the group that most experts believe was responsible for the attack, was the same ransomware provider that the FBI linked to an attack on JBS SA, a major global meat processor, during the Memorial Day weekend in May.

Since April 2019, the group has been providing ransomware-as-a-service, which means it develops the network-paralyzing software and leases it out to so-called affiliates who infect targets and receive the lion’s share of the ransoms.

About the Author

USA

Umair Akbar | Cloud Engineer

Umair Akbar is a Senior Information Security Engineer with over 5 years of experience leading the development and daily management of InfoSec systems.

View All Articles