Ransomware Assault in Provide Chain Impacts 1,000+ Firms Earlier than Christmas Weekend – CBS Denver
(CBS4) – As Americans celebrate the July 4th holiday weekend, cybersecurity experts across the country plan to work overtime to combat a massive ransomware attack on the supply chain. More than 1,000 companies found their data encrypted on Friday, according to cybersecurity firm Huntress.
In an update on Saturday morning, software provider Kaseya confirmed that it had been the victim of a sophisticated cyber attack on its VSA product. VSA software is used by more than 36,000 customers, including managed service providers who look after companies’ IT infrastructures.
On Friday evening, Fred Voccola, CEO of Kaseya, said the company was aware of fewer than 40 affected MSPs. For every targeted MSP, there are dozens of companies at risk of being compromised. Many small and medium-sized companies use MSPs because their company lacks the internal resources to manage the IT infrastructure.
It is still unclear how the attackers gained access to the software, but the number of organizations affected is expected to increase. Huntress security researcher John Hammond estimated the attack could hit thousands of small businesses.
Based on a combination of service providers reaching out to us for help and the comments we see on this thread, it is reasonable to assume that this could potentially affect thousands of small businesses.
– John Hammond (@_johnhammond) July 3, 2021
Huntress has high confidence attributed the attack to the Russia-related REvil Ransomware-as-a-Service (RaaS) operation, also known as Sodinokibi. The criminal group provides malware kits to its partners to carry out cyberattacks in exchange for a cut in profits.
REvil was recently behind the May cyberattack that disrupted operations at more than a dozen JBS meat packing plants, including the company’s North American headquarters in Greeley. JBS confirmed that it paid the cyber criminals $ 11 million in bitcoin.
BleepingComputer and Bloomberg report that REvil issued ransom demands of $ 5,000 to $ 45,000 in cryptocurrency on Friday.
“It is possible that companies that choose to negotiate demand will face delays due to the potentially unprecedented number of concurrent negotiations REvil has to deal with. It’s just another obstacle victims may have to deal with, ”said Brett Callow, threat analyst at cybersecurity firm Emsisoft.
REvil is behind some of the largest known ransom demands, including $ 42 million from entertainment law firm Grubman Shire Meiselas & Sacks. IBM Security X-Force reports that REvil benefited at least $ 81 million from blackmail threats in 2020.
The timing of the ransomware attack on the Friday before the holiday weekend could be part of REvil’s strategy. JBS became aware of its ransomware attack over Memorial Day weekend. when employees tend to take time off.
Attacks on the supply chain are becoming more common. The SolarWinds attack, discovered in late 2020, began with a corrupted software update that allowed Russian spies to access networks of at least 100 companies and nine federal agencies.
The U.S. agency for cybersecurity and infrastructure security said it is taking action to combat Friday’s supply chain attack. In a security advisory, Kaseya recommended that customers shut down their VSA server immediately to prevent the attack from spreading. The company is working with the Federal Bureau of Investigation and an incident response firm to develop a patch for local customers along with a self-assessment tool so companies can determine if they have been affected.
. @ CISAgov is taking action to understand and combat the #ransomware attack in the supply chain against Kaseya VSA and the multiple #MSPs using VSA software. Read the Kaseya notice and immediately follow their instructions to shut down VSA servers: https://t.co/48QLkEm1eY
– US-CERT (@USCERT_gov) July 2, 2021
Kaseya said all local VSA servers should be down until further notice. Vendors must apply a patch before restarting the VSA. Customers who receive messages from the attackers should not click links, Kaseya said, as they could be “turned into weapons”.
According to Kaseya, software-as-a-service customers have never been at risk. The company expects to restore service to these customers within the next 24-48 hours.
Kaseya plans to post the attack on its website all weekend.