US investigates Russian links to powerful cyberattack that hit hundreds of businesses in multiple countries

A massive ransomware attack that occurred hours before the start of the July 4 weekend has already affected hundreds of businesses in several countries and possibly many more, researchers say. The President of the United States announced the transfer of “all government resources” to elucidate the origin and cause of the computer attack.

On Saturday morning, information technology company Kaseya confirmed it had suffered a “sophisticated cyber attack” on its VSA software, a set of tools used by IT departments to manage and monitor computers remotely. And they would have been asked for rewards of between $ 50,000 – for small businesses – and $ 5 million for large ones.

Since Kaseya’s software is used by large IT companies offering contract services to hundreds of small businesses, the attack could have spread to thousands of victims. Kaseya has warned all of its nearly 40,000 customers to immediately disconnect their software from Kaseya. Cybersecurity firm Huntress Labs said it found 20 IT companies, known as managed service providers, that were attacked. More than 1,000 customers of these companies, mostly small businesses, were also affected by the hack, Huntress Labs said on Reddit.

“I wouldn’t be surprised if there were thousands of companies,” said Fabian Wosar, chief technology officer of Emsisoft, a company that provides software and advice to help organizations defend themselves against attacks. of ransomware. “We don’t know yet because of the long weekend in America.”

A large supermarket chain in Sweden confirmed it had been affected for an attack, which means their cash registers have been locked. It had to close hundreds of stores, Coop Sweden said on its Facebook page.

Due to the large number of potentially affected businesses, the attack could be one of the largest in history. Investigators say REvil, the same hacking group that attacked global meat giant JBS earlier this year, is behind the attack.

The assault could worsen tensions between the United States and Russiabecause it comes just weeks after President Joe Biden met Russian President Vladimir Putin in Geneva, warning him that the United States would hold Moscow responsible for Russia’s cyber attacks. Many cybersecurity threat analysts believe REvil operates largely from Russia. The recent wave of attacks underscores the challenge the Biden administration faces in deterring ransomware attacks carried out by criminals who have safe haven in countries like Russia.

Instead of a cautious and targeted attack on a single large company, this hack appears to have used managed service providers to spread indiscriminately across a vast network of small businesses. Unlike most ransomware attacks, REvil doesn’t appear to have attempted to steal sensitive data before blocking its victims, Wosar said.

“At this point at least it looks like it was more of a spray and prayer attack, they didn’t try to exfiltrate the data of all the victims,” ​​he said. . “It was more of a carpet bombardment.” “We believe we have identified the source of the vulnerability and are preparing a patch to mitigate it,” Kiyesa CEO Fred Voccola wrote in a statement Friday evening.

Investigators said cybercriminals sent out two different ransom demands on Friday – demanding $ 50,000 from small businesses and $ 5 million from larger ones.

The US Agency for Cybersecurity and Infrastructure Security urged companies in a statement to follow Kaseya’s advice, saying it is “taking action to understand and combat the recent supply chain ransomware attack.” .

“This is the biggest cyberattack on a non-state’s supply chain that we have ever seen,” Allan Liska, researcher at cybersecurity firm Recorded Future, said on Friday. “And it’s probably the biggest ransomware attack we’ve seen, at least the biggest since WannaCry.”

He noted that this could be the largest number of businesses affected by a ransomware attack. The businesses affected could be a wide variety of small and large businesses, and many of them are likely to be small and medium businesses using managed IT services. Kaseya also has several state and local governments as clients, Liska said.

The WannaCry computer worm affected hundreds of thousands of people in 2017. The National Security Agency ultimately linked the North Korean government to the creation of the worm.

Ransomware attacks increased dramatically in frequency and severity in 2020. A report by a task force of more than 60 experts said nearly 2,400 governments, healthcare systems and schools nationwide have been affected by ransomware in 2020. Organizations paid attackers over $ 412. million dollars in ransom payments last year, according to analytics firm Chainalysis.

Después de un attack en mayo a Colonial Pipeline -que provocó colas de pánico en los surtidores de gasolina y estaciones de servicio vacías- el gobierno de Estados Unidos aumentó su enfasis en approachar los problemas de ciberseguridad, e instó a las empresas estadzaridenses a reforestation IT security.

Ransomware attacks have increased as hackers band together and form gangs of cybercriminals to extort money from businesses. The attacks are usually carried out by attackers from Russia and Eastern Europe.

The Pirates accessing a company’s computer system using tactics such as sending “phishing” emailsdesigned to trick employees into inadvertently installing malware on their computers. Once inside, cybercriminals block parts of the company’s networks and demand payment to return them to the owner. In addition, hackers often steal information from private companies and threaten to leak it over the internet if they are not paid.

It is still unclear how the attackers gained access to Kaseya’s system. The company has been a popular target for REvil, Liska said, likely because it serves many other organizations as customers.

The attackers included a ransom note directing victims to a website to pay a ransom, although Liska said the site had been down all afternoon and night.

Kaseya spokeswoman Dana Liedholm said her investigation into the incident was ongoing, noting the company’s earlier statement.

KEEP READING: