Ransomware attack on over 1,000 firms by Russia-linked group

WASHINGTON • A Russia-linked hacking group has compromised more than 1,000 businesses in an ongoing ransomware attack, according to the cyber-security firm Huntress Labs.

The hackers targeted managed service providers, which often give IT support to small-to medium-size businesses, according to the US-based Huntress Labs.

By targeting a managed service provider (MSP), hackers may then be able to access and infiltrate its customers' computer networks.

Cyber-security researchers have pointed to Kaseya, which develops software used by managed service providers, as the potential root cause of the hack.

The software company provides services to more than 40,000 organisations around the world. It said on Friday that it had limited the attack to a very small percentage of its customers that use the company's signature VSA software, "currently estimated at fewer than 40 worldwide".

It also urged customers that use its systems management platform, called VSA, to immediately shut down their servers.

The impact of the attack is only beginning to come to light. In Sweden, a majority of grocery chain Coop's more than 800 stores could not open yesterday after the attack led to a malfunction of their cash registers, spokesman Therese Knapp said.

There are victims in 11 countries so far, according to research published by cyber-security firm Eset.

Mr John Hammond, a researcher at Huntress Labs, said that so far, more than 20 companies that provide security or technology tools for hundreds of other small businesses might have been compromised by the attack.

He added that REvil, a Russian cyber-criminal group that the Federal Bureau of Investigation had said was behind the hacking of the world's largest meat processor, JBS, in May, was most likely to blame for the latest strikes.

Some of the affected companies were being asked for US$5 million (S$6.7 million) in ransom, Mr Hammond said.

"Kaseya handles large enterprise all the way to small businesses globally, so ultimately, it has the potential to spread to any size or scale business," Mr Hammond said. "This is a colossal and devastating supply-chain attack."

The US Cybersecurity and Infrastructure Security Agency also described the incident in a statement on its website as a "supply-chain ransomware attack".

It urged Kaseya's customers to shut down their servers and said it was investigating.

"This is one of the most broadly impactful, non-nation state executed, attacks we have ever seen and it appears purely designed to extract money," said Mr Andrew Howard, chief executive officer of Switzerland-based Kudelski Security, a provider of managed cyber-security services.

"It is difficult to image a better way for an attacker to distribute malware than through trusted IT providers."

Mr Jake Williams, chief technology officer at BreachQuest, said he has already responded to multiple ransomware victims including a school and a manufacturer.

Unlike in the past, when hackers often demand one bulk payment from a managed service provider, it appears that the actors behind REvil are demanding payment from each MSP client, according to Mr Williams.

Russian state-sponsored hackers have been blamed for attacks against nine US government agencies and about 100 businesses, including the Texas-based tech company SolarWinds and Colonial Pipeline, America's largest fuel pipeline. The pipeline attack squeezed oil supplies along the East Coast of the US.

BLOOMBERG, NYTIMES, AGENCE FRANCE-PRESSE