The group, known as REvil, has focused its attack on Kaseya VSA, software used by large companies and technology-service providers to manage and distribute software updates to systems on computer networks, according to security researchers and VSA’s maker, Kaseya Ltd.
The use of trusted partners like software makers or service providers to identify and compromise new victims, often called a supply-chain attack, is unusual in cases of ransomware, in which hackers shut down the systems of institutions and demand payment to allow them to regain control. The Kaseya incident appears to be the “largest and most significant” such attack to date, said Brett Callow, a threat analyst for cybersecurity company Emsisoft.
Upon learning of the attack Friday, Kaseya immediately shut down its servers and began warning customers, the company said. As of Friday evening, it said, only customers running the software on their own servers, rather than users of Kaseya’s online service, appear to have been affected.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency advised Kaseya users to shut down their VSA servers immediately. “CISA is closely monitoring this situation and we are working with the FBI to gather information about its impact,” said Eric Goldstein, the agency’s executive assistant director for cybersecurity, in a statement.
Kaseya says that fewer than 40 of its more than 36,000 customers were affected by the incident. However, many of Kaseva’s users are service providers that, in turn, have many more customers that could have potentially been hit.
At least a dozen service providers that collectively manage the IT and security of about 1,000 customers were victims of the incident, said Kyle Hanslovan, chief executive of the security firm Huntress. Most of the customers of these providers are small and midsize organizations, he said.
While the cause of the attack is still being investigated, it is “very likely there is some vulnerability or a flaw that is being mass-exploited in VSA,” Mr. Hanslovan said.
Ransomware groups, including REvil, have targeted service providers in the past, including with a 2019 attack that hit at least 22 municipalities in Texas, said Emsisoft’s Mr. Callow.
“I’ve never seen a ransomware attack impact so many companies at one time,” said Al Saikali, a partner at law firm Shook, Hardy & Bacon LLP, which was brought in to consult on six ransomware attacks related to the VSA incident on Friday. On his busiest previous day, he said, he had signed up two clients. Ransom demands in the six attacks ranged from $25,000 to $150,000, he said.
For service providers themselves, the demands are higher—in one case, $5 million, Mr. Hanslovan said.
Ransomware has emerged as one of the country’s most serious security problems in recent years, as hackers have targeted businesses, hospitals, schools and other institutions. Attackers have grown bolder as millions of people began using less-secure home internet connections for work and school during pandemic lockdowns.
The ransomware phenomenon shot into the spotlight in May when an attacked forced Colonial Pipeline Co., a major shipper of gasoline to the U.S. East Coast, to shut down a pipeline, drying up supplies at gas stations across the Southeast. Intelligence officials have linked this attack and others to Russia, a charge officials there denied.
At a recent summit with Russian President Vladimir Putin, President Biden addressed cybersecurity and said critical infrastructure should be off-limits to attacks.
About a month ago, a REvil attack temporarily knocked out plants that process one-fifth of the U.S. meat supply. JBS’s U.S. unit paid $11 million in ransom to the attackers, according to a company executive.
Dustin Volz contributed to this article.
This story has been published from a wire agency feed without modifications to the text.
Never miss a story! Stay connected and informed with Mint.
our App Now!!