According to a cybersecurity researcher whose company was responding to the incident, a ransomware attack on Friday, 2nd of July, 2021, that paralyzed the networks of at least 200 U.S. companies. It is believed that the attack was carried out by the REvil gang, a big Russian-speaking ransomware syndicate, said John Hammond of the security firm Huntress Labs.
According to him, the criminals used a software provider called Kaseya, which uses network-management packages to exploit cloud-services providers to spread the ransomware.
Hammond’s assessment is supported by other researchers as well. “Kaseya handles large enterprises all the way to small businesses globally, so ultimately, (this) has the potential to spread to any size or scale business, this is a colossal and devastating supply chain attack.” Hammond said in a direct message on Twitter.
In these kinds of cyberattacks, malware is spread through the use of software that updates automatically, resulting in an infection. No information is available on how many Kaseya customers may be affected or who they are. No information is available on how many Kaseya customers may be affected or who they are. The company said the attack only affected a “small number” of its customers.
Brent Callow, a cybersecurity expert with Emsisoft, said no previous ransomware supply-chain attacks of this size had been reported to him. Others have occurred, but they were relatively minor, he said.
He said, “This is SolarWinds with ransomware.”, referring to a Russian cyberespionage campaign discovered in December, which used virus-infected network management software to infiltrate U.S. federal agencies and scores of corporations.
Rendition Infosec’s president, Jake Williams, said the firm is already working with six companies that have been affected. It’s not a coincidence that this happened before the Fourth of July holiday when IT staffing generally is low, he said. In his opinion, there’s no doubt that the timing was intentional.
Hammond of Huntress said that he was aware of the four managed-service providers – firms that host IT infrastructure for multiple customers – being attacked by this malware, which encrypts networks until the victim pays an attacker.
Approximately 200 businesses and thousands of computers have been encrypted by three Huntress partners, Hammond said. According to Hammond’s tweets, we have reason to believe this (is) REvil/Sodinikibi. The FBI linked the same ransomware provider to the May attack on JBS SA, which is a major meat processor.
Earlier Friday, the FBI said it was working with the Department of Homeland Security to gather more information about the situation. CISA urged anyone who might be affected to “follow Kaseya’s guidance to shutdown VSA servers immediately.”
Kaseya runs what’s called a virtual system administrator, or VSA, which is used to remotely manage and monitor a customer’s network. Kaseya, a privately held company, is based in Dublin, Ireland, with a U.S. headquarters in Miami. In a recent report about a cybersecurity platform it recently acquired, the Miami Herald referred to the company as “one of Miami’s oldest tech companies” by 2022.
Brian Honan, a cybersecurity consultant in Ireland, said in an email Friday that the attack is a classic supply chain attack, where criminals compromise a trusted supplier and exploit that trust to attack their customers.
The good news, said Williams, of Rendition Infosec, is that “lots of our customers don’t have Kaseya on every machine in their network, making it harder for attackers to move across an organization’s computer systems and easy for customers to recover too!”
In April 2019, the group known as REvil started offering ransomware-as-a-service, meaning that it created network-paralysing software that it leased to affiliates who then infected targets and collected the ransom.
It is among the ransomware gangs that steals target data before activating the ransomware, strengthening their extortion efforts. Palo Alto Networks cybersecurity firm said in a recent report that the average ransom payment to the group was about half a million dollars last year.
According to cybersecurity experts, given the large number of victims, the gang might find it difficult to negotiate a ransom given the lengthy holiday weekend, which could give it more time to work through the list.
