Massive Ransomware Attack Affects Hundreds of Businesses

Software company Kaseya was targeted by a cyberattack starting Friday that has since spread to hundreds of mainly small and medium-size businesses. On Monday, Kaseya chief executive Fred Voccola reported to Anne Neuberger, the deputy national security advisor for cyber and emerging technology, that the attackers demanded a $70 million ransomware payment and that his company wasn’t aware of any breach of critical infrastructure impacting national security. According to experts, the attackers may be members of REvil, a Russian cybercriminal group.

The Wall Street Journal reports that, “Kaseya’s VSA software is used by many technology companies to provide computer management services, potentially providing a gateway to other victims” around the world. Coop, a Swedish grocery store chain, was forced to close some of its outlets and computers at New Zealand schools were locked.

At the Dutch Institute for Vulnerability Disclosure (DIVD), chair Victor Gevers said that one bug — which Kaseya was already working to patch — was “due to a simple error in the company’s code.” Fifty customers were compromised, about 40 of which were managed service providers (MSPs), which gave hackers the ability to execute a so-called supply-chain attack. Now, all of those MSP customers have been hit by ransomware.

In addition to REvil’s $70 million demand, “victims of the group can also pay amounts varying between $25,000 and $5 million directly to unlock their systems even if nobody pays the $70 million.” The hackers most recently said they hacked 1 million computers, but Emsisoft threat analyst Brett Callow said that seems “like an enormous overestimate.”

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, which “advised Kaseya users to shut down their VSA servers … has been monitoring the situation.” In the hack of the meat processor JBS, REvil collected a $11 million payment.

The New York Times reports that Swedish grocery chain Coop “was forced to close at least 800 stores on Saturday, according to Sebastian Elfors, a cybersecurity researcher for the security company Yubico.” President Biden said he directed the “full resources of the federal government” to investigate the attack.

Threat researcher Kevin Beaumont said this attack “marked a serious escalation in the tactics of ransomware gangs” and Huntress Labs researcher John Hammond said, “what makes this attack stand out is the trickle-down effect, from the managed service provider to the small business.” Electronic Arts was also recently hacked, “but its data was not held for ransom.”

Wired reports Sophos Labs senior threat researcher Sean Gallagher said that, “usually ransomware actors need multiple vulnerabilities at different stages to do that or time on the network to uncover administrator passwords,” he said. “This is a step above what ransomware attacks usually look like.”

At DIVD, Wietse Boonstra was already working with Kaseya to develop and test patches, but it hadn’t been deployed when REvil attacked. Emsisoft’s Callow noted that REvil licenses its ransomware to “a network of affiliates who run their own operations and then simply give REvil a cut.”

The FBI stated that, “although the scale of this incident may make it so that we are unable to respond to each victim individually, all information we receive will be useful in countering this threat.”

Related:
Attempted Hack of RNC and Russian Ransomware Attack Test Biden, The New York Times, 7/6/21
Biden Says Ransomware Attack Caused ‘Minimal Damage’ to U.S. Companies, Reuters, 7/6/21