New ransomware attack compromises 1,000 US companies

Another cyberattack attributed to the REvil group, which operates a “ransomware-as-a-service” business, compromised hundreds of US companies last Friday. The most recent count is 1,000 companies, most of the customers of Kaseya, provider of the VSA cloud platform, which is widely used by managed service providers (MSPs). So the effects of this attack could be far greater – potentially making it one of the biggest ransomware attacks in history. It is already known that cybercriminals used Kaseya’s corporate network to target nearly 50 of its customers.

Security firm Huntress, for example, told Gizmodo that three of its clients, which are MSPs and use VSA, were affected by the attack and that as a result, around 200 small businesses that rely on these MSPs were hit with encryption.

“We are aware of four MSPs where all customers are affected – 3 in the US and one overseas. MSPs with thousands of endpoints are being hit,” said John Hammond, a senior security researcher at Huntress. 

Florida-based Kaseya services more than 40,000 organizations worldwide, and has asked customers using its system administration platform to immediately shut down their servers to avoid the possibility of being compromised. 

You will need to install the patch before restarting the VSA and a set of recommendations on how to increase your security posture.  All local VSA servers should remain offline until further instructions from Kaseya on when it is safe to restore operations. Kaseya executives are contacting affected customers directly to understand their situations and what assistance is possible. 

REvil is a major cybercriminal gang that has used ransomware to go after major targets including Apple and Acer. It is also believed to be the gang that attacked meat supplier JBS, extorting the major meat supplier for $11 million.

Weeks later, an attack on JBS led to the temporary shutdown of all nine beef processing plants in the United States and Canada.

A problem for nations

This intense activity by cybercriminals in the US has generated new talk about the possibility of an international cyber agreement that would set the ground rules for what is and is not allowed and set sanctions for violators. But many cyber experts remain deeply skeptical that such an agreement can be reached, let alone enforced. Not least because these discussions have been going on for years.

The first big challenge would simply be to get everyone to agree to the rules. Russia, China, Iran, and North Korea have been accused of significant intrusions against the US, and analysts say these countries find cyber attacks cheap, effective, and easy to deny.

It’s not even clear whether these countries would be willing to actually agree to the terms because cyberattacks for them are “really useful in their geopolitical positioning,” April Falcon Doss, a former NSA official, told to NPR.

In his opinion, a cyber treaty would be extremely difficult to monitor and enforce. That’s because the production, development, and storage of nuclear, biological, and chemical weapons are fundamentally different from the ephemeral nature of cyber weapons.