A new ransomware attack linked to the group that hit meat producer JBS SA has left cybersecurity officials scrambling to remediate the attack they believe likely infected hundreds of organizations worldwide and tens of thousands of computers.
The group, known as REvil, has focused its attack on Kaseya VSA, software used by large companies and technology-service providers to manage and distribute software updates to systems on computer networks, according to security researchers and VSA’s maker, Kaseya Ltd.
REvil is a well-known purveyor of ransomware—malicious software that locks up a victim’s computer until a digital ransom is paid, typically in the form of bitcoin. This latest attack appears to be its largest ever. The incident may have infected as many as 40,000 computers world-wide, according to cybersecurity experts.
The use of trusted partners like software makers or service providers to identify and compromise new victims, often called a supply-chain attack, is unusual in cases of ransomware, in which hackers shut down the systems of institutions and demand payment to allow them to regain control. The Kaseya incident appears to be the largest and most significant such attack to date, said Brett Callow, a threat analyst for cybersecurity company Emsisoft.
Among those affected was a supermarket chain in Sweden. The company said that in some cases its cash registers were hit in the attack, prompting many of its stores to remain shut Saturday. The company on Sunday said it was able to open additional outlets, though some stores remained shut.
Upon learning of the attack Friday, Kaseya immediately shut down its servers and began warning customers, the company said. Friday evening it said only customers running the software on their own servers, rather than users of Kaseya’s online service, appeared to have been affected. The company has recommended that users of its software keep those products offline until further notice. The company also is keeping its own cloud-based services offline until it determines that it can safely restart them, Kaseya said.
In an update Sunday morning, the company said it aimed to have a fix ready to deploy to customers in the next 24 to 48 hours and restore its cloud-based services on about the same timeline. It also has begun deploying a tool to help customers determine whether their systems were infected.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency advised Kaseya users to shut down their VSA servers immediately. “CISA is closely monitoring this situation and we are working with the FBI to gather information about its impact,” said Eric Goldstein, the agency’s executive assistant director for cybersecurity.
Kaseya says that fewer than 40 of its more than 36,000 customers were affected by the incident. However, more than 30 of these customers were service providers, a company spokeswoman said Saturday. Those providers, in turn, have many more customers that could have potentially been hit.
Ransomware attacks are increasing in frequency, victim losses are skyrocketing, and hackers are shifting their targets. WSJ’s Dustin Volz explains why these attacks are on the rise and what the U.S. can do to fight them. Most of the customers of these providers are small and midsize organizations, said Kyle Hanslovan, chief executive of the security firm Huntress.
While the cause of the attack is still being investigated, it is “very likely there is some vulnerability or a flaw that is being mass-exploited in VSA,” Mr. Hanslovan said. Ransomware groups, including REvil, have targeted service providers in the past, including with a 2019 attack that hit at least 22 municipalities in Texas, said Emsisoft’s Mr. Callow.
“I’ve never seen a ransomware attack impact so many companies at one time,” said Al Saikali, a partner at law firm Shook, Hardy & Bacon LLP, which was brought in to consult on six ransomware attacks related to the VSA incident Friday. On his busiest previous day, he said, he had signed up two clients. Ransom demands in the six attacks ranged from $25,000 to $150,000, he said. For service providers themselves, the demands are higher—in one case, $5 million, Mr. Hanslovan said.
Ransomware has emerged as one of the country’s most serious security problems in recent years, as hackers have targeted businesses, hospitals, schools and other institutions. Attackers have grown bolder as millions of people began using less-secure home internet connections for work and school during pandemic lockdowns.
The ransomware phenomenon shot into the spotlight in May when an attack forced Colonial Pipeline Co., a major shipper of gasoline to the U.S. East Coast, to shut down a pipeline, drying up supplies at gas stations across the Southeast. Intelligence officials have linked this attack and others to Russia, a charge officials there denied.
Joe Biden, traveling in Michigan, told reporters he had been briefed on the attack and that U.S. officials were trying to determine the extent of the Russian government’s involvement. “First of all we’re not sure who it is for certain,” Biden said when asked about the attack.
“The initial thinking was it was not the Russian government. But we’re not sure yet.” He added that he has warned Russian President Vladimir Putin that the U.S. would respond to Russian government-sponsored cyberattacks. At a recent summit with Mr. Putin, the president addressed cybersecurity and said critical infrastructure should be off-limits to attacks.
About a month ago, a REvil attack temporarily knocked out plants that process one-fifth of the U.S. meat supply. JBS’s U.S. unit paid $11 million in ransom to the attackers, according to a company executive.