Massive Russia-linked ransomware attack hits more than 1,000 companies

The hacking group behind the attack is known as "REvil". ST PHOTO: KELVIN CHNG

NEW YORK (BLOOMBERG) - A massive ransomware attack on the software supply chain has impacted more than 1,000 businesses so far, and the number may continue to grow, according to the cybersecurity firm Huntress Labs Inc.

The hackers targeted managed service providers, which provide IT services primarily to small- and medium-size businesses.

Such attacks can have a multiplying effect, since the hackers may then gain access and infiltrate the MSPs' customers too.

So far, more than 20 MSPs have been affected, said John Hammond, a cybersecurity researcher at Huntress Labs.

The impact of the attack is only beginning to come to light.

In Sweden, a majority of grocery chain Coop's more than 800 stores couldn't open on Saturday after the attack led to a malfunction of their cash registers, spokesperson Therese Knapp told Bloomberg News.

The hackers were identified as the Russia-linked ransomware group REvil, which was accused last month of hacking giant meatpacker JBS SA.

There are victims in 11 countries so far, according to research published by cybersecurity firm Eset.

The hackers appear to have targeted Kaseya Ltd, a Miami-based developer of software for managed service providers, as a way to attack its customers, according to cybersecurity experts.

"What makes this attack stand out is the trickle-down effect, from the managed service provider to the small business," Hammond said.

"Kaseya handles large enterprise all the way to small businesses globally, so ultimately, it has the potential to spread to any size or scale business."

In a statement, Kaseya said it has notified the FBI. The company said it had so far identified less than 40 customers that were impacted by the attack.

Two of the affected managed service providers include Synnex Corp and Avtex LLC, according to two sources familiar with the breaches.

Reached by telephone, Avtex president George Demou told Bloomberg News in a text message on Friday (July 2) night that "Hundreds of MSPs have been impacted by what appears to be a Global Supply Chain hack".

"We are working with those customers who have been impacted to help them to recover," he added.

A Synnex spokesperson did not immediately respond to requests for comment.

Hammond said he expects the number of victims to "significantly rise" as more compromised managed service providers are discovered. The names of the MSP customers who were attacked aren't yet known.

"This is one of the most broadly impactful, non-nation state executed, attacks we have ever seen and it appears purely designed to extract money," said Andrew Howard, chief executive officer of Switzerland-based Kudelski Security, a provider of managed cybersecurity services.

"It is difficult to image a better way for an attacker to distribute malware than through trusted IT providers."

Jake Williams, chief technology officer at BreachQuest, said he's already responded to multiple ransomware victims, including a school and a manufacturer. In those cases, ransom demands started at US$45,000 (S$60,600), he said.

In the past, ransomware groups often demand one bulk payment from a managed service provider, instead of attempting to collect payment from all of its clients. But in this case, it appears the REvil actors are encrypting hundreds of MSP clients and demanding payment from each one, Williams said.

"There's no way the actors have the bandwidth handle each individual case at the same time," said Williams. "If they keep going this way, this will take weeks to resolve."

The attacks come a few weeks after a summit between President Joe Biden and Russian President Vladimir Putin in which Biden warned that 16 kinds of critical infrastructure were off limits for cyberattacks.

Russian state-sponsored hackers were blamed for attacks against nine US government agencies and about 100 businesses, which was disclosed in December and involved, in part, malicious updates in software from Texas-based SolarWinds Corp.

More recently, a ransomware attack on Colonial Pipeline Co., which squeezed gasoline supplies along the East Coast, was blamed on a Russian-linked criminal gang called DarkSide.

Cybersecurity researchers have pointed to Kaseya, which develops software used by managed service providers, as the potential root cause of the hack. Kaseya on Friday advised its customers to shut down its Virtual System Administrator software due to a potential attack.

"We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us," Kaseya said in a statement.

The Cybersecurity and Infrastructure Security Agency acknowledged the hacks in a brief statement.

"CISA is taking action to understand and address the recent supply-chain ransomware attack against Kaseya VSA and the multiple managed service providers (MSPs) that employ VSA software," the agency said.

Jason Ingalls, founder of the breach response company Ingalls Information Security, said attacks such as the MSP attack announced on Friday are becoming more common.

"Hackers are infiltrating the most trusted source of software or security in a huge supply chain, and then compromising all of their clients," he said.

"This is the same attack method used in the SolarWinds hack, but now it's being used by criminals to leverage their access to one victim to ransom many more."

Join ST's Telegram channel and get the latest breaking news delivered to you.