New ransomware attack compromises 1,000 US companies


Another cyberattack attributed to the REvil group, which operates a “ransomware-as-a-service” business, compromised hundreds of US companies last Friday. The most recent count is 1,000 companies, most of the customers of Kaseya, provider of the VSA cloud platform, which is widely used by managed service providers (MSPs). So the effects of this attack could be far greater – potentially making it one of the biggest ransomware attacks in history. It is already known that cybercriminals used Kaseya’s corporate network to target nearly 50 of its customers.

Security firm Huntress, for example, told Gizmodo that three of its clients, which are MSPs and use VSA, were affected by the attack and that as a result, around 200 small businesses that rely on these MSPs were hit with encryption.

“We are aware of four MSPs where all customers are affected – 3 in the US and one overseas. MSPs with thousands of endpoints are being hit,” said John Hammond, a senior security researcher at Huntress. 

Florida-based Kaseya services more than 40,000 organizations worldwide, and has asked customers using its system administration platform to immediately shut down their servers to avoid the possibility of being compromised. 

“We believe we have identified the source of the vulnerability and are preparing a patch to mitigate it for our local customers that will be thoroughly tested,” Kaseya added in a statement issued on Saturday. “We will release this patch as soon as possible to get our customers back up and running.”

You will need to install the patch before restarting the VSA and a set of recommendations on how to increase your security posture.  All local VSA servers should remain offline until further instructions from Kaseya on when it is safe to restore operations. Kaseya executives are contacting affected customers directly to understand their situations and what assistance is possible. 

REvil is a major cybercriminal gang that has used ransomware to go after major targets including Apple and Acer. It is also believed to be the gang that attacked meat supplier JBS, extorting the major meat supplier for $11 million.

The FBI is investigating the incident, in coordination with CISA, to conduct outreach to possibly affected victims. “If you believe your systems have been compromised, we encourage you to employ all recommended mitigations, follow Kaseya’s guidance to shut down your VSA servers immediately, and report to the FBI,” the bureau said.

The Washington Post reports that the hackers were caught sending “two different ransom notes on Friday – demanding $50,000 from smaller companies and $5 million from larger ones”.

In the opinion of market analysts, the attack on Kaseya is equal to the attack on SolarWinds’ Orion platform. The attackers managed to infiltrate Orion’s update compilation process without leaving a trace. Cybersecurity researchers say spies are likely still active through the breached networks.

In recent months, American companies have become prime targets for cybercriminals. In May, the Colonial company, one of the largest pipelines operating in the United States, was forced to suspend its activities after suffering a cyberattack. At the time, the FBI confirmed that DarkSide, which operated on Russian soil, was behind the criminal act. The suspension of Colonial’s activity, with the 8,850 kilometers of pipelines it manages between Texas and New York, has damaged a service that is vital to supply the large population centers of the east and south of the United States since every day it transports the equivalent of 2.5 million barrels of gasoline, diesel and aviation fuel, which represents 45% of the supply for the entire east coast.

Weeks later, an attack on JBS led to the temporary shutdown of all nine beef processing plants in the United States and Canada.

A problem for nations

The National Security Agency (NSA) and other US government security agencies issued a joint statement on Thursday about how Russian military intelligence has been trying to hack into private and government computer networks over the past two years. The statement does not cite specific hacks, though it does provide pages of technical details, noting, for example, that attackers often seek to get past cloud services to reach their intended target.

This intense activity by cybercriminals in the US has generated new talk about the possibility of an international cyber agreement that would set the ground rules for what is and is not allowed and set sanctions for violators. But many cyber experts remain deeply skeptical that such an agreement can be reached, let alone enforced. Not least because these discussions have been going on for years.

The first big challenge would simply be to get everyone to agree to the rules. Russia, China, Iran, and North Korea have been accused of significant intrusions against the US, and analysts say these countries find cyber attacks cheap, effective, and easy to deny.

It’s not even clear whether these countries would be willing to actually agree to the terms because cyberattacks for them are “really useful in their geopolitical positioning,” April Falcon Doss, a former NSA official, told to NPR.

In his opinion, a cyber treaty would be extremely difficult to monitor and enforce. That’s because the production, development, and storage of nuclear, biological, and chemical weapons are fundamentally different from the ephemeral nature of cyber weapons.