WASHINGTON – A ransomware attack paralyzed the networks of at least 200 American companies on Friday, according to a cybersecurity researcher whose company was responding to the incident.
The REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack, said John Hammond of security firm Huntress Labs. He said the criminals attacked a software vendor called Kaseya, using their administration suite of network as a conduit for spreading ransomware through cloud service providers. Other researchers agreed with Hammond’s assessment.
“Kaseya handles large companies to small companies globally, so ultimately (this) has the potential to extend to companies of any size or scale,” Hammond said in a direct message on Twitter. “This is a colossal and devastating supply chain attack.” These cyberattacks often infiltrate widely used software and spread malware as it updates automatically.
It was not immediately clear how many Kaseya clients could be affected or who they could be. Kaseya urged customers in a statement on its website to immediately shut down the servers running the affected software. He said the attack was limited to a “small number” of his clients.
Brett Callow, a ransomware expert at cybersecurity firm Emsisoft, said he was not aware of any previous supply chain ransomware attacks on this scale. There have been others, but they were quite minor, he said.
“This is SolarWinds with ransomware,” he said. He was referring to a Russian cyber espionage hacking campaign discovered in December that spread by infecting network management software to infiltrate US federal agencies and dozens of corporations.
Cybersecurity researcher Jake Williams, president of Rendition Infosec, said he was already working with six companies affected by ransomware. It’s no coincidence that this happened before the July 4 weekend, when IT staff is scarce, he added.
“I have no doubt that the timing here was intentional,” he said.
Huntress’s Hammond said he was aware of four managed service providers, companies that host IT infrastructure for multiple clients, that are being targeted by ransomware, which encrypts networks until victims pay attackers. He said thousands of computers were attacked.
“We currently have three Huntress partners who are affected by approximately 200 companies that have been encrypted,” Hammond said.
Hammond wrote on Twitter: “Based on everything we are seeing right now, we strongly believe that this (is) REvil / Sodinikibi.” The FBI linked the same ransomware vendor to a May attack on JBS SA, a major global meat processor.
The White House and the federal Cybersecurity and Infrastructure Security Agency did not immediately return messages seeking comment.
• Bajak reported from Boston; O’Brien contributed from Providence, Rhode Island.
Copyright © 2021 The Washington Times, LLC.