Businesses across the US rushed on Saturday to contain a ransomware attack that paralyzed computer networks around the world, a situation complicated in the US by offices being lightly staffed at the start of the Fourth of July weekend.
In Sweden, most of the grocery chain Coop’s 800 stores were unable to open because cash registers weren’t working, according to the public broadcaster. State railways and a major pharmacy chain were also affected.
Cybersecurity experts said the REvil gang, a major Russian-speaking ransomware syndicate, appeared to be behind the attack that targeted a software supplier called Kaseya, using its network-management package as a conduit to spread the ransomware through cloud-service providers.
The privately held Kaseya is based in Dublin with a US headquarters in Miami.
The US federal Cybersecurity and Infrastructure Security Agency (Cisa) said it was closely monitoring the situation and working with the FBI. Cisa urged anyone who might be affected to “follow Kaseya’s guidance to shut down virtual system administrator servers immediately”.
The FBI linked REvil to an attack on JBS SA, a major global meat processor, over the Memorial Day holiday weekend in May. Active since April 2019, the group provides ransomware-as-a-service, meaning it develops the network-paralyzing software and leases it to so-called affiliates who infect targets and earn the lion’s share of ransoms.
The Brazil-based meat company said it paid the equivalent of a $11m ransom to the hackers, escalating calls by US law enforcement to bring such groups to justice.
Kaseya’s chief executive, Fred Voccola, said the company believed it had identified the source of the vulnerability and would “release that patch as quickly as possible to get our customers back up and running”.
John Hammond of the security firm Huntress Labs said he was aware of a number of managed-services providers – companies that host IT infrastructure – being hit by the ransomware, which encrypts networks until the victims pay off attackers.
“It’s reasonable to think this could potentially be impacting thousands of small businesses,” said Hammond.
Voccola said fewer than 40 Kaseya customers were known to be affected, but the ransomware could still be affecting hundreds more companies that rely on Kaseya clients that provide broader IT services.
Voccola said the problem was only affecting “on-premise” customers, organizations running their own data centers. It was not affecting cloud-based services running software for customers, though Kaseya shut down those servers as a precaution, he said.
The company said “customers who experienced ransomware and receive a communication from the attackers should not click on any links – they may be weaponised”.
A Gartner analyst, Katell Thielemann, said it was clear Kaseya “reacted with an abundance of caution. But the reality of this event is it was architected for maximum impact, combining a supply chain attack with a ransomware attack.”
Supply chain attacks infiltrate widely used software and spread malware as it updates automatically. Complicating the response this time is that the Kaseya attack happened at the start of a major holiday weekend in the US, when most corporate IT teams are not fully staffed.
That could leave organizations unable to address other security vulnerabilities, such as a dangerous Microsoft bug affecting software for print jobs, said James Shank, a threat intelligence analyst.
“Customers of Kaseya are in the worst possible situation,” he said. “They’re racing against time to get the updates out on other critical bugs.”
Shank said “it’s reasonable to think that the timing was planned” for the holiday.