Businesses around the world rushed on Saturday to contain a ransomware attack that crippled their computer networks, a situation complicated in the United States by low-staffed offices at the start of the July 4 bank holiday weekend.
It is not yet known how many organizations have been hit with ransom demands in order to get their systems back on track. But some cybersecurity researchers predict that the attack targeting customers of software provider Kaseya could be one of the largest ransomware attacks on record.
This follows a scourge of headline-grabbing attacks in recent months that have been a source of diplomatic tension between US President Joe Biden and Russian President Vladimir Putin over whether Russia has become a safe haven. for cybercriminal gangs.
Biden said on Saturday he was not yet sure who was responsible, but suggested the United States would respond if it was discovered that Russia had something to do with it.
“If it’s knowingly and / or as a consequence of Russia, I’ve told Putin we’ll respond,” Biden said. “We’re not sure. The initial thought was that it wasn’t the Russian government.”
Cyber security experts claim that the REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack that targeted software company Kaseya, using its network management package as a means to distribute the ransomware via cloud service providers.
“The number of victims here already exceeds a thousand and will likely reach tens of thousands,” said cybersecurity expert Dmitri Alperovitch of think-tank Silverado Policy Accelerator. “No other ransomware campaign comes close in terms of impact.”
Cybersecurity firm ESET says there are victims in at least 17 countries, including the UK, South Africa, Canada, Argentina, Mexico, Kenya and Germany.
In Sweden, most of the 800 stores of the Coop grocery chain could not open because their cash registers were not working, according to SVT, the country’s public broadcaster. Swedish railways and a large chain of local pharmacies were also affected.
Kaseya CEO Fred Voccola said in a statement that the company believes it has identified the source of the vulnerability and “will release this patch as soon as possible to get our customers back up and running.”
Voccola said less than 40 Kaseya customers were affected, but experts said the ransomware could still affect hundreds of other businesses that depend on Kaseya customers who provide broader IT services.
John Hammond of security firm Huntress Labs said he was aware that a number of managed service providers – companies that host IT infrastructure for multiple clients – were affected by the ransomware, which encrypts networks until ‘that the victims pay the attackers.
“It’s reasonable to think that this could potentially impact thousands of small businesses,” Hammond said, basing his estimate on service providers contacting his business for help and comments on Reddit showing how others react.
At least some victims appeared to receive ransoms set at $ 45,000, which is considered a small request but could quickly add up when asked of thousands of victims, said Brett Callow, a ransomware expert at the cybersecurity company Emsisoft.
Callow said it’s not uncommon for sophisticated ransomware gangs to audit after stealing a victim’s financial records to see what they can actually pay, but that won’t be possible when there is will have as many victims to negotiate with.
“They have just presented the amount of demand at a level that most businesses will be willing to pay,” he said.
Voccola said the problem only affected its “on-premises” customers, which means organizations running their own data centers. This does not affect its cloud-based services running software for clients, although Kaseya has also shut down those servers as a precaution, he said.
The company added in a statement on Saturday that “customers who have experienced ransomware and receive communication from attackers should not click on any links – they can be armed.”
Gartner analyst Katell Thielemann said it’s clear Kaseya has moved quickly into action, but it’s less clear whether their affected clients had the same level of preparedness.
“They reacted very cautiously,” she said. “But the reality of this event is that it was designed for maximum impact, combining a supply chain attack with a ransomware attack.”
Supply chain attacks are the ones that usually infiltrate widely used software and spread malware when updating automatically.
To complicate the answer, it happened at the start of a major vacation weekend in the United States, when most corporate IT teams were not fully staffed.
It could also prevent these organizations from addressing other security holes, such as a dangerous Microsoft bug in software for print jobs, said James Shank, of threat intelligence firm Team Cymru.
“Kaseya’s clients are in the worst possible situation,” he said. “They are racing against time to get updates on other critical bugs.”
Shank said “it’s reasonable to think the timing was planned” by the pirates for the holidays.
The US Chamber of Commerce said it affected hundreds of businesses and was “another reminder that the US government must fight these foreign cybercriminal syndicates” by investigating, disrupting and prosecuting them.
The Federal Agency for Cybersecurity and Infrastructure Security said in a statement that it was closely monitoring the situation and working with the FBI to gather more information on its impact.
CISA urged anyone who may be affected to “follow Kaseya’s advice to immediately shut down the VSA servers”. Kaseya runs what is called a Virtual System Administrator, or VSA, which is used to remotely manage and monitor a customer’s network.
The privately held Kaseya is based in Dublin, Ireland, with a US headquarters in Miami.
REvil, the group most experts linked to the attack, was the same ransomware provider as the FBI linked to an attack on JBS SA, a major global meat processor forced to pay an $ 11 million ransom, in the middle of the Memorial Day holiday weekend in May.
Active since April 2019, the group provides ransomware-as-a-service, which means it develops the network crippling software and leases it to so-called affiliates who infect targets and earn the lion’s share of the ransoms. .
U.S. officials have said the most powerful ransomware gangs are based in Russia and allied states and operate with the tolerance of the Kremlin and sometimes collude with Russian security services.
Alperovich said he believed the latest attack was financially motivated and not led by the Kremlin.
However, he said it shows that Putin “has yet to budge” to stop cybercriminals in Russia after Biden urged him to do so at their June summit in Switzerland.
Asked about the attack during a trip to Michigan on Saturday, Biden said he asked the intelligence community for a “deep dive” into what happened. He said he expected to hear more by Sunday.
PA journalists Frank Bajak in Boston, Eric Tucker in Washington, and Josh Boak in Central Lake, Michigan contributed to this report.