The Washington PostDemocracy Dies in Darkness

Ransomware attack struck between 800 and 1,500 businesses, says company at center of hack

Kaseya’s software touches hundreds of thousands of firms, but company says vast majority were unaffected

Kaseya’s webpage is seen through a magnifying glass in front of displayed binary code in this illustration on July 6. (Dado Ruvic/Reuters)

The software company at the center of a major ransomware attack said Tuesday the hack affected between 800 and 1,500 small businesses, potentially making it the largest ransomware attack ever.

Kaseya, which sells software to help other companies manage their computer networks, confirmed hackers broke into its system through a software vulnerability in its code. In a video posted to YouTube on Tuesday, chief executive Fred Voccola said the company shut down the compromised program within an hour of noticing the attack, potentially stopping the hackers from hitting more businesses.

Four days after the attack was discovered, it’s still unclear exactly how damaging it was, especially since many businesses have been shut for the long weekend. Kaseya sells software to thousands of IT providers, which in turn often serve thousands of clients, meaning the company touches 800,000 to a million small businesses around the world.

While some experts initially thought that meant the number of affected business could stretch into the tens of thousands, even 800 to 1,500 affected companies would still be one of the more significant ransomware attacks ever. It’s still unclear what the overall impact may be.

Ransomware claims are roiling an entire segment of the insurance industry

For each organization hit, the hack could be crippling, shutting down computers and potentially wiping out all of their files. A Swedish grocery store chain and a handful of schools in New Zealand were among identified victims. But as of Tuesday, the attack appeared to have less of an immediate impact in the United States than the one on Colonial Pipeline in May, which led to panic-buying of fuel up and down the East Coast.

Voccola, who has said he wants to take Kaseya public in the coming year, apologized to victims but said the company had done everything it could to respond quickly and effectively to the attack.

“The impact of this incredibly sophisticated attack has been very minimal,” he said. “Unfortunately this happened. It happens. Doesn’t make it okay. It just means it’s the way the world we live in is today.”

Ransomware attacks work by burrowing into a business’s computer network and locking its owner out from the inside. Going through Kaseya theoretically gave hackers a way to hit many targets at once. The group behind the attack, a ransomware gang known as REvil, had initially told each small business hit by the attack they would need to pay around $50,000 to unlock their computers.

Feds recover more than $2 million in ransomware payments from Colonial Pipeline hackers

On Sunday, REvil said it would accept $70 million in cryptocurrency to unlock all the businesses at once. Jack Cable, a security architect at cybersecurity consulting firm Krebs Stamos Group, reached out to the hackers to research the offer. REvil immediately offered him a $20 million discount, without Cable even asking for it.

“That does seem a bit odd,” he said. The group may be eager to negotiate because they aren’t making as much as they’d hoped from individual ransoms, Cable said. Negotiating ransom payments with hundreds of businesses would be a time-consuming feat, even for a sophisticated group such as REvil.

The online tool for individual companies to pay ransoms was disabled for many victims this weekend, Cable said, perhaps in an effort to get the $70 million payout. But it was working again Tuesday.

REvil is thought by experts to be based in Russia, and the attack came just weeks after President Biden met with Russian President Vladimir Putin and discussed starting consultations on addressing cyberattacks. Biden said Saturday that the initial thinking was that the Russian government was not involved but that the White House was still looking into it.