Ransomware hits hundreds of US companies, security firm says

Jul 2, 2021, 4:53 PM | Updated: Jul 3, 2021, 8:19 am

WASHINGTON (AP) — A ransomware attack paralyzed the networks of at least 200 U.S. companies on Friday, according to a cybersecurity researcher whose company was responding to the incident.

The REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack, said John Hammond of the security firm Huntress Labs. He said the criminals targeted a software supplier called Kaseya, using its network-management package as a conduit to spread the ransomware through cloud-service providers. Other researchers agreed with Hammond’s assessment.

“Kaseya handles large enterprise all the way to small businesses globally, so ultimately, (this) has the potential to spread to any size or scale business,” Hammond said in a direct message on Twitter. “This is a colossal and devastating supply chain attack.”

Such cyberattacks typically infiltrate widely used software and spread malware as it updates automatically.

It was not immediately clear how many Kaseya customers might be affected or who they might be. Kaseya urged customers in a statement on its website to immediately shut down servers running the affected software. It said the attack was limited to a “small number” of its customers.

Brett Callow, a ransomware expert at the cybersecurity firm Emsisoft, said he was unaware of any previous ransomware supply-chain attack on this scale. There have been others, but they were fairly minor, he said.

“This is SolarWinds with ransomware,” he said. He was referring to a Russian cyberespionage hacking campaign discovered in December that spread by infecting network management software to infiltrate U.S. federal agencies and scores of corporations.

Cybersecurity researcher Jake Williams, president of Rendition Infosec, said he was already working with six companies hit by the ransomware. It’s no accident that this happened before the Fourth of July weekend, when IT staffing is generally thin, he added.

“There’s zero doubt in my mind that the timing here was intentional,” he said.

Hammond of Huntress said he was aware of four managed-services providers — companies that host IT infrastructure for multiple customers — being hit by the ransomware, which encrypts networks until the victims pay off attackers. He said thousand of computers were hit.

“We currently have three Huntress partners who are impacted with roughly 200 businesses that have been encrypted,” Hammond said.

Hammond wrote on Twitter: “Based on everything we are seeing right now, we strongly believe this (is) REvil/Sodinikibi.” The FBI linked the same ransomware provider to a May attack on JBS SA, a major global meat processer.

The federal Cybersecurity and Infrastructure Security Agency said in a statement late Friday that it is closely monitoring the situation and working with the FBI to collect more information about its impact.

CISA urged anyone who might be affected to “follow Kaseya’s guidance to shut down VSA servers immediately.” Kaseya runs what’s called a virtual system administrator, or VSA, that’s used to remotely manage and monitor a customer’s network.

The privately held Kaseya says it is based in Dublin, Ireland, with a U.S. headquarters in Miami. The Miami Herald recently described it as “one of Miami’s oldest tech companies” in a report about its plans to hire as many as 500 workers by 2022 to staff a recently acquired cybersecurity platform.

Brian Honan, an Irish cybersecurity consultant, said by email Friday that “this is a classic supply chain attack where the criminals have compromised a trusted supplier of companies and have abused that trust to attack their customers.”

He said it can be difficult for smaller businesses to defend against this type of attack because they “rely on the security of their suppliers and the software those suppliers are using.”

The only good news, said Williams, of Rendition Infosec, is that “a lot of our customers don’t have Kaseya on every machine in their network,” making it harder for attackers to move across an organization’s computer systems.

That makes for an easier recovery, he said.

Active since April 2019, the group known as REvil provides ransomware-as-a-service, meaning it develops the network-paralyzing software and leases it to so-called affiliates who infect targets and earn the lion’s share of ransoms.

REvil is among ransomware gangs that steal data from targets before activating the ransomware, strengthening their extortion efforts. The average ransom payment to the group was about half a million dollars last year, said the Palo Alto Networks cybersecurity firm in a recent report.

Some cybersecurity experts predicted that it might be hard for the gang to handle the ransom negotiations, given the large number of victims — though the long U.S. holiday weekend might give it more time to start working through the list.

___

Bajak reported from Boston; O’Brien contributed from Providence, Rhode Island.

Copyright © The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

AP

Mourners carry the body of a victim of a mosque bombing in Kabul, Afghanistan, Thursday, Aug. 18. 2...
Associated Press

Police: Death toll in Afghan capital mosque bombing now 21

KABUL, Afghanistan (AP) — A bombing at a mosque in the Afghan capital of Kabul during evening prayers killed at least 21 people, including a prominent cleric, and wounded at least 33 others, eyewitnesses and police said Thursday. There was no immediate claim of responsibility for the attack Wednesday night, the latest to strike the […]
2 hours ago
FILE - Kimi Raikkonen, of Finland, pauses during a news conference in Concord, N.C., May 20, 2011. ...
Associated Press

Kimi Raikkonen hits pause on retirement to race NASCAR

CHARLOTTE, N.C. (AP) — Kimi Raikkonen retired to Switzerland at the end of last year’s Formula One season and has blissfully spent the last eight months with his young family. Did he miss racing? “Not really, no,” the 2007 F1 champion said. Yet here he is, not even a full year into retirement, and Raikkonen […]
2 hours ago
FILE - In this image provided by the Ukrainian Presidential Press Office, Ukrainian President Volod...
Associated Press

Zelenskyy to host Lviv talks with UN chief, Turkish leader

LVIV, Ukraine (AP) — As a potential power broker, Turkish President Recep Tayyip Erdogan will use his first visit to Ukraine since the war started nearly six months ago to seek ways to expand the export of grain from Europe’s breadbasket to the world’s needy while U.N. Secretary-General António Guterres will focus on containing the […]
1 day ago
Taiwanese soldiers operate a Oerlikon 35mm twin cannon anti-aircraft gun at a base in Taiwan's sout...
Associated Press

US to hold trade talks with Taiwan, island drills military

HUALIEN, Taiwan (AP) — The U.S. government will hold talks with Taiwan on a wide-ranging trade treaty in a sign of support for the self-ruled island democracy China claims as its own territory. The announcement Thursday comes after Beijing held military drills that included firing missiles into the sea to intimidate Taiwan following this month’s […]
1 day ago
A currency trader watches monitors near screens showing the Korea Composite Stock Price Index (KOSP...
Associated Press

Asian stocks follow Wall St down after Fed inflation report

BEIJING (AP) — Asian stock markets followed Wall Street lower Thursday after the Federal Reserve said U.S. inflation is too high, suggesting support for more aggressive interest rate hikes. Shanghai, Tokyo, Hong Kong and Sydney declined. Oil prices edged higher. Wall Street’s benchmark S&P 500 index lost 0.7% on Wednesday after notes from the Fed’s […]
1 day ago
FILE- Los Angeles Lakers forward LeBron James (23) goes up high to dunk the ball during the first h...
Associated Press

LeBron James inks 2-year, $97.1 million deal with Lakers

LOS ANGELES (AP) — LeBron James has agreed to a two-year, $97.1 million contract extension through the 2024-25 season with the Los Angeles Lakers, his agent announced Wednesday. Klutch Sports CEO Rich Paul said the league-maximum deal makes James the highest-paid player in NBA history. His new deal includes a player option that would keep […]
1 day ago

Sponsored Articles

...
Mayo Clinic Orthopedics and Sports Medicine

Why your student-athlete’s physical should be conducted by a sports medicine specialist

Dr. Anastasi from Mayo Clinic Orthopedics and Sports Medicine in Tempe answers some of the most common questions.
...
Carla Berg, MHS, Deputy Director, Public Health Services, Arizona Department of Health Services

Vaccines are safe if you are pregnant or breastfeeding

Are you pregnant? Do you have a friend or loved one who’s expecting?
...
CANVAS ANNUITY

Best retirement savings rates hit 4.30%

Maximize your retirement savings with guaranteed fixed rates up to 4.30%. Did you know there is a financial product that can give you great interest rates as you build your retirement savings and provide you with a paycheck for life once you retire? It might sound too good to be true but it is not; this product is called an annuity.
Ransomware hits hundreds of US companies, security firm says