Pre-holiday ransomware attacks force businesses to scramble
The company scrambled on Saturday to contain a ransomware attack that paralyzed computer networks. This was a complex situation in the United States at the beginning of the July 4th holiday weekend with a staffless office.
According to the Swedish public broadcaster SVT, most of the 800 grocery chain Coop stores couldn’t open in Sweden because the cashiers weren’t working. The Swedish National Railways and major local pharmacy chains were also affected.
According to cybersecurity experts, REvil gang, a leading Russian-speaking ransomware syndicate, uses network management packages as a conduit for spreading ransomware through cloud service providers, targeting a software supplier called Kaseya. Seems to be behind the attack.
Kaseya CEO Fred Voccola said in a late Friday night statement that the company believed that it would identify the cause of the vulnerability and “release the patch as soon as possible to get customers back and running.” It was.
John Hammond of security firm Huntress Labs has been hit by ransomware, where many managed service providers, companies that host IT infrastructure for multiple customers, encrypt their networks until the victim rewards the attacker. He said he knew that. He said thousands of computers were attacked.
“It’s reasonable to think that this could affect thousands of small businesses,” Hammond said of the company seeking help and comments on Reddit to show how others are reacting. I have stated a quote based on the service provider to contact.
According to Voccola, less than 40 of Kaseya’s customers are affected, but ransomware affects hundreds of companies that rely on Kaseya’s clients to offer a wider range of IT services. May give.
Voccola said the issue only affects “on-premises” customers. That is, the organization operates its own data center. Kaseya also shut down these servers as a precaution, but he said it hadn’t affected cloud-based services running software for customers.
“Customers who have experienced ransomware and received communications from attackers should not click the link, which could be weaponized,” the company added in a statement on Saturday.
Gartner analyst Kateru Thielemann said it was clear that Kaseya took action immediately, but it is not clear if the affected customers were at the same level of preparation.
“They reacted with great care,” she said. “But the reality of this event is that it is designed to combine supply chain attacks and ransomware attacks to have the greatest impact.”
Supply chain attacks are typically attacks that break into widely used software and spread it when it is automatically updated.
Complicating the response is that it happened at the beginning of a major US holiday weekend, when most corporate IT teams aren’t well staffed.
In a statement, the Federal Cybersecurity and Infrastructure Security Agency said it was closely monitoring the situation and working with the FBI to gather more information on its impact.
The CISA urged anyone who might be affected to “follow Kaseya’s guidance to shut down the VSA server immediately.” Kaseya runs a so-called virtual system administrator (VSA), which is used to remotely manage and monitor a customer’s network.
Privately held Kaseya is based in Dublin, Ireland and is headquartered in Miami.
REvil, a group most experts linked to the attack, is the same ransomware that the FBI linked to an attack on JBSSA, a leading global meat processor, on the Memorial Day holiday weekend in May. It was a provider.
The group, which has been active since April 2019, offers ransomware as a service. In other words, we develop network paralysis software and lease it to so-called affiliates who infect targets and earn most of the ransom.