WASHINGTON – A ransomware attack paralyzed the networks of at least 200 American companies on Friday, according to a cybersecurity researcher whose company was responding to the incident.
The REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack, said John Hammond of security firm Huntress Labs. He said the criminals attacked a software vendor called Kaseya, using their administration suite of network as a conduit for spreading ransomware through cloud service providers. Other researchers agreed with Hammond’s assessment.
“Kaseya operates from large companies to small companies globally, so ultimately (this) has the potential to extend to companies of any size or scale,” Hammond said in a direct message on Twitter. “This is a colossal and devastating supply chain attack.” These cyberattacks often infiltrate widely used software and spread malware as it updates automatically.
It was not immediately clear how many Kaseya clients could be affected or who they could be. Kaseya urged customers in a statement on its website to immediately shut down the servers running the affected software. He said the attack was limited to a “small number” of his clients.
Brett Callow, a ransomware expert at cybersecurity firm Emsisoft, said he was not aware of any previous supply chain ransomware attacks on this scale. There have been others, but they were quite minor, he said.
“This is SolarWinds with ransomware,” he said. He was referring to a Russian hacking campaign discovered in December that spread by infecting network management software to infiltrate US federal agencies and dozens of corporations.
Cybersecurity researcher Jake Williams, president of Rendition Infosec, said he was already working with six companies affected by ransomware. It is no coincidence that this happened before the weekend of July 4, when IT staff is scarce, he added.
“I have no doubt that the timing here was intentional,” he said.
Huntress’s Hammond said he was aware of four managed service providers, companies that host IT infrastructure for multiple clients, that are being targeted by ransomware, which encrypts networks until victims pay attackers. He said thousands of computers were attacked.
“We currently have three Huntress partners that are affected by approximately 200 businesses that have been encrypted,” said Hammond.
Hammond wrote on Twitter: “Based on everything we are seeing right now, we strongly believe that this (is) REvil / Sodinikibi.” The FBI linked the same ransomware vendor to a May attack on JBS SA, a major global meat processor.
The White House and the federal Cybersecurity and Infrastructure Security Agency did not immediately return messages seeking comment.
• Bajak reported from Boston; O’Brien contributed from Providence, Rhode Island.
