Companies on Saturday attempted to contain a ransomware attack that paralyzed their computer networks, a situation made more difficult in the US by low-level offices at the start of the July 4th holiday weekend.
In Sweden, most of the 800 shops of the Coop grocery chain could not open because their registers were not working, according to the public broadcaster SVT. The Swedish State Railways and a large local pharmacy chain were also affected.
Cyber ââsecurity experts say the REvil gang, a large Russian-speaking ransomware syndicate, appears to be behind the attack, which targeted a software provider named Kaseya and used its network management package as a channel to spread the ransomware through cloud service providers.
Fred Voccola, CEO of Kaseya, said in a statement late Friday evening that the company believes it has identified the source of the vulnerability and “will release this patch as soon as possible to get our customers back up and running.”
John Hammond of security firm Huntress Labs said he knew a number of managed service providers – companies that host IT infrastructures for multiple customers – have been hit by ransomware that encrypts networks until victims pay the attackers. He said thousands of computers were hit.
“It is reasonable to assume that this could potentially affect thousands of small businesses,” Hammond said, relying on the service providers reaching out to his company for help and commenting on Reddit that show how others are reacting .
Voccola said fewer than 40 of Kaseya’s customers have been affected, but the ransomware could still affect hundreds more companies that rely on Kaseya’s customers for more comprehensive IT services.
Voccola said the problem only affects its “on-premise” customers, which means companies are running their own data centers. It has no impact on its cloud-based services that run software for customers, although Kaseya has also shut down those servers as a precautionary measure, he said.
The company added in a statement on Saturday that “customers who have experienced ransomware and receive a message from the attackers should not click links – they could be used as weapons”.
Gartner analyst Katell Thielemann said it was clear that Kaseya took action quickly, but it is less clear whether their affected customers had the same level of willingness.
“They responded with an abundance of caution,” she said. “But the reality of this event is that it is designed for maximum impact, combining a supply chain attack with a ransomware attack.”
Supply chain attacks are those that typically infiltrate widely used software and, when automatically updated, spread malware.
To make matters worse, this happened at the start of a major US bank holiday weekend when most of the company’s IT teams were under-staffed.
The federal agency for cybersecurity and infrastructure security said in a statement that it is closely monitoring the situation and is working with the FBI to gather more information about its impact.
CISA urged anyone who could be affected “to follow Kaseya’s instructions to shut down VSA servers immediately”. Kaseya runs what is called a virtual system administrator, or VSA, which is used to remotely manage and monitor a customer’s network.
Privately held Kaseya is based in Dublin, Ireland with a US headquarters in Miami.
REvil, the group most experts linked to the attack, was the same ransomware provider the FBI linked to an attack on JBS SA, a major global meat processor, on Memorial Day holiday weekend in May.
The group has been active since April 2019 and offers ransomware-as-a-service, which means it develops the network-crippling software and rents it to so-called affiliates who infect targets and earn the lion’s share of the ransom money.