Ransomware attack may have impacted thousands of small businesses



Businesses rushed on Saturday to contain a ransomware attack that crippled their computer networks, a situation complicated in the United States by low-staffed offices at the start of the July 4 bank holiday weekend.

In Sweden, most of the 800 stores of the Coop grocery chain could not open because their cash registers were not working, according to SVT, the country’s public broadcaster. Swedish railways and a large chain of local pharmacies were also affected.

Cyber ​​security experts claim that the REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack which targeted a software vendor called Kaseya, using its network management package as a means of spreading the ransomware. through cloud service providers.

Kaseya CEO Fred Voccola said in a statement that the company believes it has identified the source of the vulnerability and “will release this patch as soon as possible to get our customers back up and running.”

John Hammond of security firm Huntress Labs said he was aware that a number of managed service providers – companies that host IT infrastructure for multiple clients – were affected by the ransomware, which encrypts networks until ‘that the victims pay the attackers.

“It’s reasonable to think that this could potentially impact thousands of small businesses,” Hammond said, basing his estimate on service providers contacting his business for help and comments on Reddit showing how others react.

Voccola said less than 40 Kaseya customers were affected, but the ransomware could still affect hundreds of other businesses that depend on Kaseya customers who provide broader IT services.

Voccola said the problem only affected its “on-premises” customers, which means organizations running their own data centers. This does not affect its cloud-based services running software for clients, although Kaseya has also shut down those servers as a precaution, he said.

The company added in a statement on Saturday that “customers who have experienced ransomware and receive communication from attackers should not click on any links – they can be armed.”

Gartner analyst Katell Thielemann said it’s clear Kaseya has moved quickly into action, but it’s less clear whether their affected clients had the same level of preparedness.

“They reacted very cautiously,” she said. “But the reality of this event is that it was designed for maximum impact, combining a supply chain attack with a ransomware attack.”

Supply chain attacks are the ones that typically infiltrate widely used software and spread malware when updating automatically.

To complicate the answer, it happened at the start of a major vacation weekend in the United States, when most corporate IT teams were not fully staffed.

It could also prevent these organizations from addressing other security holes, such as a dangerous Microsoft bug in software for print jobs, said James Shank, of threat intelligence firm Team Cymru.

“Kaseya’s customers are in the worst possible situation,” he said. “They’re racing against time to get updates on other critical bugs.”

Shank said “it’s reasonable to think the timing was planned” by hackers for the holidays.

The Federal Agency for Cybersecurity and Infrastructure Security said in a statement that it was closely monitoring the situation and working with the FBI to gather more information on its impact.

CISA urged anyone who may be affected to “follow Kaseya’s advice to immediately shut down the VSA servers”. Kaseya runs what is called a Virtual System Administrator, or VSA, which is used to remotely manage and monitor a customer’s network.

The privately held Kaseya is headquartered in Dublin, Ireland, with a US headquarters in Miami.

REvil, the group most experts linked to the attack, was the same ransomware vendor that the FBI linked to an attack on JBS SA, a major global meat processor, in the middle of Memorial Day weekend. in May.

Active since April 2019, the group provides ransomware-as-a-service, which means it develops the network crippling software and leases it to so-called affiliates who infect targets and earn the lion’s share of ransoms. .

The Brazil-based meat company said it has paid hackers the equivalent of an $ 11 million ransom, escalating calls from US law enforcement to bring these groups to justice.

Subscribe to CNBC on YouTube.


Leave A Reply

Your email address will not be published.