The latest in a string of severe cyberattacks has affected more than 1,000 businesses worldwide. Here’s what we know so far.
On Friday (2 July), a major ransomware attack in the US hit multiple managed service providers, affecting more than 1,000 businesses and organisations.
This includes schools, small public sector bodies, travel companies, credit unions and accountants.
The White House deputy national security adviser for cyber and emerging technology, Anne Neuberger, said in a statement that the FBI and the Department of Homeland Security’s cyber arm “will reach out to identified victims to provide assistance based upon an assessment of national risk”.
While the attack started in the US, it has impacted companies around the world, including Swedish grocery store chain Coop, which closed hundreds of its stores over the weekend. This is because a tool used to update its checkout tills remotely was affected by the attack.
It is the latest in a string of major ransomware attacks receiving global attention, including incidents impacting a major gas pipeline, the world’s largest meat producer and Ireland’s Health Service Executive (HSE).
The attack began at Kaseya, a Miami-based software supplier. On Friday, the company reported a “sophisticated attack” on its VSA software, a set of tools used by IT departments to manage and monitor computers remotely.
The cybercriminals responsible for the attack found a vulnerability in Kaseya’s supply chain and used a malware protection program to deliver ransomware code to businesses that use the software.
While Kaseya initially estimated that only about 40 customers had been directly affected, the impact of the attack spread further because its customers include managed service providers (MSPs) that use the software to service hundreds of businesses.
Cybersecurity firm Huntress Labs, which is investigating the incident, said as many as 30 MSPs across the US, Australia, the EU and Latin America had been hit and more than 1,000 of those MSPs’ clients could be affected.
According to security company ESET, the majority of reports are coming from the UK, South Africa, Canada, Germany, the US and Colombia.
Kaseya has advised its customers that all on-premises VSA servers should remain offline and said a patch will need to be installed prior to restarting the VSA.
In its latest security update, the company also said it had been advised by outside experts that customers who experience ransomware and receive communication from the attackers should not click on any links as they may be weaponised.
Who is responsible?
The attack is believed to come from REvil, a ransomware-as-a-service cybergang thought to be based in Russia. On its dark web blog, REvil claimed responsibility and said the attack infected more than a million systems.
The gang has an affiliate structure and previous attacks attributed to REvil or its affiliates include a ransomware outbreak in 2019 that affected more than 20 local governments in Texas and the recent attack on meat producer JBS Foods.
What ransom is being demanded?
REvil has demanded $70m in ransom for a universal decryption tool promising to decrypt files of all victims in less than an hour. If paid, it could become the highest ransomware payment ever made.
However, paying ransoms is generally not advised by security experts. This is because it allows cybercriminals to profit, encouraging further attacks and putting a target on companies that agree to the demands.
According to a study from infosec company Cybereason, 80pc of organisations that opted to pay a ransom demand suffered a second ransomware attack, often from the same threat actor group.
Furthermore, there is no guarantee that cybercriminals will make good on their promises even if a ransom is paid. According to a recent report from security software company Sophos, 92pc of companies that opt to pay a ransom don’t get their data back.
Even when decryption tools are provided, the cost and time it takes to restore systems with a large attack such as this one could be huge.
Speaking at an Oireachtas Joint Committee on Health on 23 June, HSE CEO Paul Reid said it will take months before systems are fully restored and immediate costs are “well over €100m”.
“Decryption takes much longer than the original encryption, and eradication involves additional tasks to ensure that the perpetrators have no access route back into our systems,” he added.
What’s being done to fix the problem?
In its latest security update, Kaseya said its teams are working “around the clock in all geographies” to restore its customers to service.
“We have successfully completed an external vulnerability scan, checked our SaaS databases for indicators of compromise, and have had external security experts review our code to ensure a successful service restart.”
It does not currently have a timeline for when its data centres can go back online but it plans to start the restoration process by the end of today (5 July).
“Once we have begun the SaaS data centre restoration process, we will publish the schedule for distributing the patch for on-premises customers,” the company added.
It also announced that it hired cybersecurity company FireEye to help deal with the fallout.
Kaseya said some lightly used legacy VSA functionality will be removed out of an “abundance of caution”.
It also said there will be new security measures implemented including enhanced security monitoring of its SaaS servers by FireEye.