The Washington PostDemocracy Dies in Darkness

Widespread ransomware attack likely hit ‘thousands’ of companies on eve of long weekend

Hackers hit a major IT software provider, which allowed their attack to spread downstream into many small businesses that now face ransom demands to unlock their computer networks

FBI Director Christopher A. Wray at a Senate Appropriations Committee hearing in Washington in June. (Stefani Reynolds/Bloomberg News)

On Saturday morning, the information technology company Kaseya confirmed that it had suffered a “sophisticated cyberattack” on its VSA software — a set of tools used by IT departments to manage and monitor computers remotely. The company said that only about 40 customers had been affected.

But because Kaseya’s software is used by large IT companies that offer contract services to hundreds of smaller businesses, the hack could have spread to thousands of victims. Kaseya told all of its nearly 40,000 customers to disconnect their Kaseya software immediately. The cybersecurity firm Huntress Labs said it had tracked 20 IT companies, known as managed-service providers, that had been hit. More than 1,000 of those companies’ clients, mostly small businesses, also had been affected by the hack, Huntress Labs said on Reddit.

“I wouldn’t be surprised if it was thousands of companies,” said Fabian Wosar, the chief technology officer of Emsisoft, a company that provides software and advice to help organizations defend against ransomware attacks. “We just don’t know yet because of the long weekend in the U.S.”

A major grocery chain in Sweden said Saturday that its IT provider had been hit by an attack and that its cash registers were locked up. It had to shut down hundreds of stores, the company, Coop Sweden, said on its Facebook page.

Because of the vast number of companies potentially affected, the attack could prove to be one of the biggest in history. Researchers said REvil, the hacker group that attacked the meat processor JBS this spring, was behind this attack.

The Biden administration seeks to rally allies and the private sector against the ransomware threat

The assault could increase tensions between the United States and Russia, as it comes just weeks after President Biden met with Russian President Vladimir Putin in Geneva, warning him that the United States would hold Moscow accountable for cyberattacks that originate in Russia. Many cybersecurity threat analysts think that REvil operates largely from Russia. The recent spate underscores the challenge the Biden administration faces in deterring ransomware attacks conducted by criminals given safe harbor in countries like Russia.

Instead of a careful, targeted attack on a single large company, this hack seems to have used managed-service providers to spread its harm indiscriminately through a huge network of smaller companies. Unlike most ransomware attacks, it doesn’t appear that REvil tried to steal sensitive data before locking its victims out of their systems, Wosar said.

“At this point, at least it seems it was more a spray-and-pray attack. They didn’t try to exfiltrate data from all the victims,” he said. “It was more like carpet bombing.”

“We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it,” Kaseya CEO Fred Voccola wrote in a statement Friday night.

JBS paid $11 million in ransom after hackers shut down meat plants

Researchers said cybercriminals were sending two different ransom notes on Friday — demanding $50,000 from smaller companies and $5 million from larger ones.

The U.S. Cybersecurity and Infrastructure Security Agency urged companies in a statement to follow Kaseya’s advice and said it is “taking action to understand and address the recent supply-chain ransomware attack.”

“It is absolutely the biggest non-nation-state supply-chain cyberattack that we’ve ever seen,” Allan Liska, a researcher with the cybersecurity firm Recorded Future, said Friday. “And it’s probably the biggest ransomware attack we’ve seen, at least the biggest since WannaCry.”

He noted that it could be the largest number of companies hit in one ransomware attack. The companies affected could include a wide range of small to large firms, and many are likely to be small to midsize businesses that use managed IT services. Kaseya also counts a number of state and local governments as customers, Liska said.

The WannaCry computer worm affected hundreds of thousands of people in 2017. The National Security Agency eventually linked the North Korean government to the creation of the worm.

Ransomware is a national security threat and a big business — and it’s wreaking havoc

Ransomware attacks increased significantly in frequency and severity during 2020. A report from a task force of more than 60 experts said nearly 2,400 governments, health-care systems and schools in the country were hit by ransomware in 2020. Organizations paid attackers more than $412 million in ransoms last year, according to the analysis firm Chainalysis.

After a May attack on Colonial Pipeline — which led to panicked lines at gas pumps and empty fuel stations — the U.S. government increased its emphasis on addressing cybersecurity issues and urged corporate America to strengthen its computer security.

Ransomware attacks have been on the rise as hackers band together and form cybercriminal gangs to extort companies for payment. The attacks are often carried out by attackers in Russia and Eastern Europe.

Hackers gain access to a company’s computer system using tactics such as sending “phishing” emails, which are designed to trick employees into inadvertently installing malware on their computers.

Ransomware claims are roiling an entire segment of the insurance industry

Once inside, cybercriminals will lock down parts of a company’s networks and demand payment to release them back to the owner. Additionally, hackers often steal private company information and threaten to leak it online if they are not paid.

It is still unclear how attackers gained access to Kaseya’s system. The company has been a popular target of REvil, Liska said, probably because it serves so many other organizations as customers.

The attackers included a ransom note directing victims to a website to make a payment, although Liska said the site had been down all of Friday afternoon and evening.

Ransomware attacks could reach ‘pandemic’ proportions. What to know after the pipeline hack.

Ellen Nakashima contributed to this report.