Massive ransomware attack potentially hit 1,000 businesses

SAN FRANCISCO — A ransomware attack on a US IT company potentially targeted 1,000 businesses, researchers said on Saturday, with one of Sweden's biggest supermarket chains revealing it had to temporarily close around 800 stores after losing access to its checkouts.

Kaseya said on Friday evening it had limited the attack to "a very small percentage of our customers" who use its signature VSA software — "currently estimated at fewer than 40 worldwide".

Cybersecurity firm Huntress Labs said in a Reddit forum, however, that it was working with partners targeted in the attack, and that the software was manipulated "to encrypt more than 1,000 companies".

Ransomware attacks typically involve locking away data in systems using encryption, making companies pay to regain access.

Kaseya describes itself as a leading provider of IT and security management services to small and medium-sized businesses.

VSA, the company's flagship offering, is designed to let companies manage networks of computers and printers from a single point.

"One of our subcontractors was hit by a digital attack, and that's why our checkouts aren't working any more," Coop Sweden, which accounts for around 20 per cent of the country's supermarket sector, said in a statement.

"We regret the situation and will do all we can to reopen swiftly," the cooperative added.

Coop Sweden did not name the subcontractor or reveal the hacking method used against it.

But the Swedish subsidiary of the Visma software group said the problem was linked to the Kaseya attack.

'Precautionary measure' 

Kaseya became aware of a possible incident with VSA at midday Friday on the US East Coast and "immediately shut down" its servers as a "precautionary measure", it said.

It also "immediately notified our on-premises customers via email, in-product notes, and phone to shut down their VSA servers to prevent them from being compromised".

"We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it," the company said in a statement.

According to the New Zealand government's Computer Emergency Response Team, the attackers were from a hacking group known as REvil.

REvil was also, according to the FBI, behind last month's attack on JBS, one of the world's biggest meat processors, which ended with the Brazil-based company paying bitcoin worth $11 million to the hackers.

The US Cybersecurity and Infrastructure Security Agency put out word that it was "taking action to understand and address the recent supply-chain ransomware attack" against Kaseya VSA and the service providers using its software.

CISA is "closely monitoring the situation", said Eric Goldstein, the agency's cybersecurity manager. 

"We are working with Kaseya and coordinating with the FBI to conduct outreach to victims who may be affected," he added in a message sent to AFP.

'Avoid paying' 

Kaseya lists a US headquarters in Florida and an international headquarters in Ireland. 

The UN Security Council this week held its first formal public meeting on cybersecurity, addressing the growing threat of hacks to countries' key infrastructure — an issue US President Joe Biden recently raised with Russian counterpart Vladimir Putin.

Several Security Council members acknowledged the grave dangers posed by cybercrime, notably ransomware attacks on key installations and companies.

Multiple US companies, including the computer group SolarWinds and the Colonial oil pipeline, have also recently been targeted by ransomware attacks.

The FBI has blamed those attacks on hackers based in Russian territory.

But typically, "cybercriminals operate company by company", said Gerome Billois, a cybersecurity expert with Wavestone consultancy.

"In this case, they attacked a company that provides software for managing data systems, allowing them to simultaneously target several dozen — possibly even hundreds — of companies," he said. 

Determining exactly how many is difficult, since affected companies lose their communications systems at the same time, Billois said. 

 Kaseya, which had urged its clients to shut down servers running its VSA platform, cannot know whether systems were turned off "voluntarily or by force".

"This is one of the largest, most widespread ransomware attacks I've seen in my career," said Alfred Saikali of law firm Shook, Hardy & Bacon.

"I have never seen this many companies hire us in a single day for the same incident. As a general rule, you want to avoid paying the ransom at all costs."