“I wouldn’t be surprised if it was thousands of companies,” said Fabian Wosar, the chief technology officer of Emsisoft, a company that provides software and advice to help organizations defend against ransomware attacks. “We just don’t know yet because of the long weekend in the U.S.”
A major grocery chain in Sweden said Saturday that its IT provider had been hit by an attack and that its cash registers were locked up. It had to shut down hundreds of stores, the company, Coop Sweden, said on its Facebook page.
Because of the vast number of companies potentially affected, the attack could prove to be one of the biggest in history. Researchers said REvil, the hacker group that attacked the meat processor JBS this spring, was behind this attack.
The assault could increase tensions between the United States and Russia, as it comes just weeks after President Biden met with Russian President Vladimir Putin in Geneva, warning him that the United States would hold Moscow accountable for cyberattacks that originate in Russia. Many cybersecurity threat analysts think that REvil operates largely from Russia. The recent spate underscores the challenge the Biden administration faces in deterring ransomware attacks conducted by criminals given safe harbor in countries like Russia.
Instead of a careful, targeted attack on a single large company, this hack seems to have used managed-service providers to spread its harm indiscriminately through a huge network of smaller companies. Unlike most ransomware attacks, it doesn’t appear that REvil tried to steal sensitive data before locking its victims out of their systems, Wosar said.
“At this point, at least it seems it was more a spray-and-pray attack. They didn’t try to exfiltrate data from all the victims,” he said. “It was more like carpet bombing.”
“We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it,” Kaseya CEO Fred Voccola wrote in a statement Friday night.
Researchers said cybercriminals were sending two different ransom notes on Friday — demanding $50,000 from smaller companies and $5 million from larger ones.
The U.S. Cybersecurity and Infrastructure Security Agency urged companies in a statement to follow Kaseya’s advice and said it is “taking action to understand and address the recent supply-chain ransomware attack.”
“It is absolutely the biggest non-nation-state supply-chain cyberattack that we’ve ever seen,” Allan Liska, a researcher with the cybersecurity firm Recorded Future, said Friday. “And it’s probably the biggest ransomware attack we’ve seen, at least the biggest since WannaCry.”
He noted that it could be the largest number of companies hit in one ransomware attack. The companies affected could include a wide range of small to large firms, and many are likely to be small to midsize businesses that use managed IT services. Kaseya also counts a number of state and local governments as customers, Liska said.
The WannaCry computer worm affected hundreds of thousands of people in 2017. The National Security Agency eventually linked the North Korean government to the creation of the worm.
Ransomware attacks increased significantly in frequency and severity during 2020. A report from a task force of more than 60 experts said nearly 2,400 governments, health-care systems and schools in the country were hit by ransomware in 2020. Organizations paid attackers more than $412 million in ransoms last year, according to the analysis firm Chainalysis.
After a May attack on Colonial Pipeline — which led to panicked lines at gas pumps and empty fuel stations — the U.S. government increased its emphasis on addressing cybersecurity issues and urged corporate America to strengthen its computer security.
Ransomware attacks have been on the rise as hackers band together and form cybercriminal gangs to extort companies for payment. The attacks are often carried out by attackers in Russia and Eastern Europe.
Hackers gain access to a company’s computer system using tactics such as sending “phishing” emails, which are designed to trick employees into inadvertently installing malware on their computers.
Once inside, cybercriminals will lock down parts of a company’s networks and demand payment to release them back to the owner. Additionally, hackers often steal private company information and threaten to leak it online if they are not paid.
It is still unclear how attackers gained access to Kaseya’s system. The company has been a popular target of REvil, Liska said, probably because it serves so many other organizations as customers.
The attackers included a ransom note directing victims to a website to make a payment, although Liska said the site had been down all of Friday afternoon and evening.
Ellen Nakashima contributed to this report.