A ransomware attack paralyzed the networks of at least 200 U.S. companies on Friday, according to a cybersecurity researcher whose company was responding to the incident. The attack, first revealed last week, is believed to be affiliated with the prolific ransomware gang REvil and perpetuated through Kaseya, an international company that remotely controls programs for companies that, in turn, manage internet services for businesses. The hackers targeted managed service providers, which often give IT support to small- to medium-size businesses, according to Huntress Labs. By targeting a managed service provider, or MSP, hackers may then be able to access and infiltrate its customers’ computer networks.
Two of the affected managed service providers include Synnex Corp. and Avtex LLC, according to two sources familiar with the breaches. Reached by telephone, Avtex president George Demou told Bloomberg News in a text message on Friday night that “Hundreds of MSPs have been impacted by what appears to be a Global Supply Chain hack.” The REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack, said John Hammond of the security firm Huntress Labs. He said the criminals targeted a software supplier called Kaseya, using its network-management package as a conduit to spread the ransomware through cloud-service providers. Other researchers agreed with Hammond’s assessment. “It’s reasonable to think this could potentially be impacting thousands of small businesses,” Hammond said.
“Kaseya handles large enterprise all the way to small businesses globally, so ultimately, (this) has the potential to spread to any size or scale business,” Hammond said in a direct message on Twitter. “This is a colossal and devastating supply chain attack.” Kaseya announced, it was attacked by hackers and warned all its customers to immediately stop using its service. Nearly 40 of its customers were hacked. Since those Kaseya customers manage hundreds or thousands of businesses, it is unclear how many will fall victim to ransomware over the weekend. But the number’s at least already around 200, said John Hammond, a senior security researcher at Huntress, which is helping with Kaseya’s response. That number expected to rise.
Cybersecurity researcher Jake Williams, president of Rendition Infosec, said he was already working with six companies hit by the ransomware. It’s no accident that this happened before the Fourth of July weekend, when IT staffing is generally thin, he added. “There’s zero doubt in my mind that the timing here was intentional,” he said. The federal Cybersecurity and Infrastructure Security Agency said in a statement late Friday that it is closely monitoring the situation and working with the FBI to collect more information about its impact.
Some cybersecurity experts predicted that it might be hard for the gang to handle the ransom negotiations, given the large number of victims — though the long U.S. holiday weekend might give it more time to start working through the list. CISA urged anyone who might be affected to “follow Kaseya’s guidance to shut down VSA servers immediately.” Kaseya runs what’s called a virtual system administrator, or VSA, that’s used to remotely manage and monitor a customer’s network.